Kickstarter Hacked — User Data Stolen

Kickstarter Email

Kickstarter Email sent February 15, 2014

I just received email from Kickstarter warning us that bad guys had hacked their site and stolen user data.

Kickstarter is doing the responsible thing by notifying its users, and it’s reassuring that credit card data was not taken.

The one gotcha is that encrypted account passwords were stolen.  Kickstartser says that with enough time, the bad guys could break the encryption, copy your password, and try signing on to other sites on the Internet using your email address and the de-crypted password stolen from Kickstarter.

Fortunately, if Kickstarter used reasonable encryption technology, it’s not likely that bad guys would be able to easily or quickly break the encryption and get your password in a readable form.  But, Kickstarter’s message provides a concrete example of the security mumbo-jumbo we are given every day.

  • You should use unique passwords for every site, especially sites like banking or ordering sites which remember your credit card number.  When you use unique passwords, if a site is broken into you have to change your password for that one site.  If you share passwords among sites, you have to change that password on every site it’s used when it’s compromised on any of the sites.

Remembering and managing passwords can be a pain, I know. The solution is to use  a  password management tool that learns and remembers your passwords as you type them online.

I use LastPass, and recommend it highly. The basic service is free, and the premiem features are $1/month.

LastPass has browser plugins for Chrome, Internet Explorer, and Firefox… the browsers I use.  They have plugins for other browsers, too. These plugins watch for me to enter usernames and passwords, and they they ask me if LastPass should remember the data. If I say yes, LastPass stores the information securely, and I can have LastPass enter the username and password for me next time I visit the site.

Moreover, the information LastPass captures in Chrome is available to me in Firefox and on other computers.  I just sign on to LastPass when I start my browser and all of my usernames and passwords are available for retrieval.

As far as my Kickstarter password, it was a unique nonsense series of numbers, letters, and special characters which was itself generated by LastPass. I am feeling very smug.  I logged on to Kickstarter, had LastPass generate a new password there, and was done.

So, if you are a Kickstarter user, go to their site and change your password.  Maybe start using LastPass while you do it!  And, if used the Kickstarter password at other sites, then definitely visit all those sites and replace the common password with the random bits that LastPass will generate.