Crowdfunding website Kickstarter said in an email to its members on Saturday afternoon that hackers had broken into its platform and accessed the personal information of its users.
“On Wednesday night, law enforcement officials contacted Kickstarter and alerted us that hackers had sought and gained unauthorized access to some of our customers’ data,” CEO Yancey Strickler said in the message, which was also posted to the company blog. “Upon learning this, we immediately closed the security breach and began strengthening security measures throughout the Kickstarter system.”
The company said that credit card information was not accessed, and that there is “no evidence of unauthorized activity of any kind on all but two Kickstarter user accounts.” (Emphasis made by the company.)
That said, a bunch of personal information was stolen, including usernames, email addresses, mailing addresses, phone numbers and encrypted passwords.
“Actual passwords were not revealed, however it is possible for a malicious person with enough computing power to guess and crack an encrypted password, particularly a weak or obvious one,” the message said.
As a result, the company is urging users to change their passwords on Kickstarter, as well as on any sites where the same password is used.
It’s not clear who is responsible for the hack, how many user accounts have been affected, or why it waited several days to notify its users. Earlier on Saturday, the Syrian Electronic Army said it had published user data from Forbes after it broke into the publisher’s system.
“We’re incredibly sorry that this happened,” the Kickstarter message says. “We set a very high bar for how we serve our community, and this incident is frustrating and upsetting. We have since improved our security procedures and systems in numerous ways, and we will continue to do so in the weeks and months to come.”
I’ve reached out to Kickstarter for more information and will update this post when I hear back.
Update 6:45 pm ET: Kickstarter has added a section of questions and answers to the bottom of its post. In it, the company attempts to explain why it waited several days to notify its users — a question that has popped up several times on Twitter since news of the hack broke. “We immediately closed the breach and notified everyone as soon we had thoroughly investigated the situation,” the company said.
Kickstarter also reiterated that credit card data was not compromised. Still, the company explained that it never stores entire credit card numbers, and only stores the last four digits “for pledges to projects outside of the U.S.”
A company spokesman has yet to respond to a couple of other queries from Re/code, including how long the hackers had access to the site.