Well, that does it. I didn’t want to post on rumor but now numerous legitimate news sites are editorializing and the CEO of Kickstarter, Yancey Strickler has come out and apologized on the company blog I think it is time for us to discuss and perhaps even criticize. Let us look at some of her comments.
“On Wednesday night, law enforcement officials contacted Kickstarter and alerted us that hackers had sought and gained unauthorized access to some of our customers’ data.”
So not only was the site hacked and data leaked, they had no systems in place to detect such a leak and suffered the embarrassment of a third party – in this case a law enforcement agency – notifying them that their site has been owned.
As for the users – kickstarter has obviously fixed whatever vulnerability allowed access and now recommends that all users reset their passwords. A typical response to such an event by a medium enterprise. After all, this isn’t AMEX or anything remotely worth losing sleep over. That said, credit card data obviously changes hands on the site but we can rest assured.
“No credit card data of any kind was accessed by hackers. There is no evidence of unauthorized activity of any kind on all but two Kickstarter user accounts.”
Wow. Thanks Ms. Strickler I think your users will choose a new password and sleep better tonight. But, hang on…
“While no credit card data was accessed, some information about our customers was. Accessed information included usernames, email addresses, mailing addresses, phone numbers, and encrypted passwords.”
So while by some miracle of luck they used an external payment gateway and thus the card numbers were saved all of the other information is likely floating around on a torrent site in an sqldump.
Realistically how dangerous is this breach to the average user (assuming their password hash isn’t guessed) – more than likely identity thieves would value this information and could likely launch a springboard attack possibly by using social engineering techniques to perhaps call your ISP and request a password reset on your email account. All of the details for phone verification of the user’s identity have kindly be provided. From there who know where access to your mail stream could take him? Sensitive information is routinely sent in the clear over email. Our hypothetical criminal would be best to instead ask the friendly ISP to add a “cc” to an address owned by the attacker so that the mailbox password need not be reset, obviously raising alarm.
I suspect that if we take this data and compare it with other recent(ish) breaches like gawker and Sony we will likely see many of the same accounts. An analysis of this would prove very interesting.
So what should you take from this? Never re-use passwords so that even if they happen to crack your hash (unlikely with a decent non-dictionary password but nonetheless) you are still safe. Understand that your email address if reused can be used to profile your time online and what sites you have subscribed to so perhaps generating some aliases isn’t a bad idea. And I guess the most important lesson is that you don’t matter to these corporate website owners – so be proactive and if necessary feed false data (date of birth, mother’s birth name etc) where you don’t trust the site. Don’t ever rely on a corporation to keep your secrets secret.
This shouldn’t have happened and the CEO’s comments don’t fly with me. Such a large website needs to protect its core asset – its user base. Clearly the users of kickstarter are not worth the trouble.