Over the weekend, Kickstarter, the product and startup crowd-sourced funding web site, sent a notice to those who have participated in the site to alert about an acknowledged break-in. The security breach provided an unauthorized intrusion to hackers allowing them to gain access to user account information.
In Kickstarter CEO, Yancey Strickler’s, email, he assured customers that credit card information is safe, but the hackers gained access to usernames, email addresses, mailing addresses, phone numbers, and encrypted passwords. He goes on to say that the actual passwords were not revealed but that any standard hacker can crack the encrypted passwords given enough computing power.
Kickstarter was notified by law enforcement officials about the breach. When alerted, Kickstarter strengthened security measures across the board to ensure the exact same breach can’t happen again. However, the company has suggested that current customers should jump out to the web site and change their passwords.
Strickler also suggested that Kickstarter will be continuing to improve security in the “weeks and months to come” while they work further with law enforcement, which seems to suggest that they are still seeking other points of attack.
Did Kickstarter handle this correctly? Some are complaining that the notification was too slow coming. Others believe Kickstarter did the right thing by working with law enforcement first, then securing the site, and then notifying the customer based.
This is just the latest in a string of high-profile security intrusions that have resulted in stolen customer data. While sites like Kickstarter are not representative of the Cloud, it does continue to drive businesses away from trusting anything that seeks to store critical data outside the company’s firewall.