Crowdfunding website Kickstarter has been hacked with an unknown number of customer accounts accessed by criminals.
“On Wednesday night, law enforcement officials contacted Kickstarter and alerted us that hackers had sought and gained unauthorized access to some of our customers’ data,” chief executive Yancey Strickler said on the company blog. “Upon learning this, we immediately closed the security breach and began strengthening security measures throughout the Kickstarter system.”
The firm said that credit card information was not accessed, and that there is “no evidence of unauthorized activity of any kind on all but two Kickstarter user accounts.”
It said that personal information was stolen including usernames, email addresses, mailing addresses, phone numbers and encrypted passwords.
“Actual passwords were not revealed, however it is possible for a malicious person with enough computing power to guess and crack an encrypted password, particularly a weak or obvious one,” the message said.
The company urged users to change their passwords on Kickstarter, as well as on any sites where the same password is used.
It is not known who is responsible for the attack and how many users are affected by the breach.
“We’re incredibly sorry that this happened,” said Kickstarter in a statement. “We set a very high bar for how we serve our community, and this incident is frustrating and upsetting. We have since improved our security procedures and systems in numerous ways, and we will continue to do so in the weeks and months to come.”
Experts said that Kickstarter had done the right thing by notifying users and asking them to reset passwords.
“It’s wise to do this even though Kickstarter stored its passwords in encrypted form,” commented Keith Bird, UK managing director of Check Point.
“But users should be very cautious about clicking on links in any follow-up emails that they receive that appear to come from Kickstarter or related organisations, no matter how plausible the emails appear to be. There’s a real risk that the details stolen in the hack may be used in phishing attacks, to try and harvest more personal data.”