dalmer Posted February 16, 2014 Report Posted February 16, 2014 Hello there, I'm assuming Kickstarter is notifying account holders via email, but just in case: Hackers hit crowd-funding site Kickstarter and made off with user information, the site said Saturday. Though no credit card info was taken, the site said, attackers made off with usernames, e-mail addresses, mailing addresses, phone numbers, and encrypted passwords. "Actual passwords were not revealed, however it is possible for a malicious person with enough computing power to guess and crack an encrypted password, particularly a weak or obvious one," the site said in a blog post, adding that "as a precaution, we strongly recommend that you create a new password for your Kickstarter account, and other accounts where you use this password." The site said law enforcement told Kickstarter of the breach on Wednesday night and that the company "immediately closed the security breach and began strengthening security measures throughout the Kickstarter system." The site also said "no credit card data of any kind was accessed by hackers" and that "there is no evidence of unauthorized activity of any kind on all but two Kickstarter user accounts." Stay safe, don 1 Quote
Guest Posted February 16, 2014 Report Posted February 16, 2014 "there is no evidence of unauthorized activity of any kind on all but two Kickstarter user accounts." They use this phrase a lot. Does it really mean anything? I mean, no "evidence" of "unauthorized" activity. Grey truth. So if kickstarter let the hackers in, then it was authorized, so this statement is true. If the hackers were unauthorized, but didn't leave evidence, then it's also true. Could also be that kickstarter deleted the evidence to avoid further bad press, which still makes the above a true statement. -Pax Quote
Mach_5 Posted February 16, 2014 Report Posted February 16, 2014 It's also prudent to change your passwords on other sites if you use the same email/password for those other accounts. Quote
Burk Posted February 16, 2014 Report Posted February 16, 2014 yep, I went on a password changing binge this morning. Quote
Blasto Posted February 18, 2014 Report Posted February 18, 2014 On a positive side, Kickstarter actually told their client base over hiding it like many companys do. Yahoo email is actually the worst one, as they are the most hacked of the "free email" bigie's. Enough that if you use an @yahoo address, I would strong suggest closing it for favor of something different. Quote
JuliusRedwings Posted February 19, 2014 Report Posted February 19, 2014 On a positive side, Kickstarter actually told their client base over hiding it like many companys do. Yahoo email is actually the worst one, as they are the most hacked of the "free email" bigie's. Enough that if you use an @yahoo address, I would strong suggest closing it for favor of something different. I can't remember 1/2 the sites I use my yahoo email as the user name... my internets would suffer if I quit them... Quote
Guest Posted February 19, 2014 Report Posted February 19, 2014 On a positive side, Kickstarter actually told their client base over hiding it like many companys do. If they tell you, it just means that they didn't think the cost of telling would exceed the cost of hiding. -Pax Quote
xipetotec Posted February 19, 2014 Report Posted February 19, 2014 They're legally required to notify customers: http://en.wikipedia.org/wiki/Security_breach_notification_laws Also they probably said there was no evidence of unauthorized activity because there probably wasn't. Nobody is hacking kickstarter so they can use your account to kickstart games, they're trying to get your email, password and other useful data that they can use to make real money. On top of all that the passwords were encrypted so they're fairly useless unless someone wants to brute force them (not likely) or you used a common password that can be rainbow tabled (seriously, use a better password) 1 Quote
Guest Posted February 19, 2014 Report Posted February 19, 2014 They're legally required to notify customers: http://en.wikipedia.org/wiki/Security_breach_notification_laws Also they probably said there was no evidence of unauthorized activity because there probably wasn't. Nobody is hacking kickstarter so they can use your account to kickstart games, they're trying to get your email, password and other useful data that they can use to make real money. On top of all that the passwords were encrypted so they're fairly useless unless someone wants to brute force them (not likely) or you used a common password that can be rainbow tabled (seriously, use a better password) You know the linked wiki page doesn't include oregon or US national laws about the subject? Only says California and the EU have passed such laws. Not sure where kickstarter is based, but they might not be subject to these. In addition, I'll assume that undiscovered breaches are not included in the law, so a company that denies knowledge could be effectively exempt until proof was acquired that they did have such knowledge. I'll also assume that hackers based in law enforcement, or other branches of the government(s) probably don't count for these laws, despite being functionally the same concept as an illegal breach. Lastly, this still doesn't cover people that don't hack, rather they steal [in person] the data needed to access the system normally. In example, if I'm "given" the password and username to your PC, it really isn't hacking or a breach of security should I be able to use your PC. After all, the digital security is working fine. -Pax Quote
xipetotec Posted February 19, 2014 Report Posted February 19, 2014 Of course you could just follow the links provided in the article and see that Oregon does in fact have laws about this: http://www.scottandscottllp.com/resources/state_data_breach_notification_law.pdf And kickstarter is based in New York, which also has laws on the books about that. Not sure what the rest of your points were trying to bring up. . . If a company knows about a breach and is required to disclose it and doesn't its in violation of the law, its not like these things breaches are hard to detect either. Law enforcement and the government don't need to hack into a database for usernames and passwords, they just say terrorist and the courts let them in, which isn't a data breach. And people who get your username and password and access a single account aren't a data breach either. Thats at most illegal access and mostly just personal stupidity for giving out username/passwords. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.