from the hackers-want-crowdfunding-too dept.
According to a recent announcement, the crowdfunding site Kickstarter has been hacked. Kickstarter states that there was no credit card information stolen and that all unauthorized activity has been limited to only two accounts.
While the passwords are all salted and encrypted (either using SHA-1 or bcrypt), a weak password might still be hacked. Users are strongly advised to change their passwords on Kickstarter and any other site where they use the same passwords.
Further information can be found at the Kickstarter blog.
Related Stories
So, as I write this, day one has officially come to an end. I'm still somewhat in shock over it. Last night when I was editing the database to change over hostnames and such, I was thinking, man, it would be great if we got 100 regular users by tomorrow. Turns out I was wrong. By a factor of ten. Holy cow, people. I'm still in a state of disbelief, partially due to the epic turnout, but also because our very modest server hardware hasn't soiled itself from the influx (the numbers are, well, "impressive" is a way to put it). Anyway, I wanted to do a bit of a writeup of where we stand now, what works, and what doesn't. Check it out (and some raw numbers) after the break! Warning, it is a bit lengthy.
(Score: 4, Funny) by The Mighty Buzzard on Saturday February 15 2014, @11:39PM
123
456
789
(Score: -1) by Anonymous Coward on Sunday February 16 2014, @02:54AM
(Score: 5, Funny) by clone141166 on Sunday February 16 2014, @12:22AM
(Score: 5, Funny) by mattie_p on Sunday February 16 2014, @01:40AM
(Score: 3, Informative) by Khyber on Sunday February 16 2014, @02:31AM
" Kickstarter states that there was no credit card information stolen and that all unauthorized activity has been limited to only two accounts."
That activity came from my two test accounts. I saw vulnerabilities my old website dealt with two years ago, and tried to harmlessly test them between two of my separate accounts. It worked. KS was notified and advised to stop those two accounts while I tried variations of the PCI-DSS flaw (that they'll ding you for even though it's their security fault.)
It's not a serious flaw, really. Only deals with non-USD transactions from what I've been able to tell. Not sure if this will affect bitcoin transactions on site or not.
Destroying Semiconductors With Style Since 2008
(Score: 1) by Maow on Sunday February 16 2014, @03:17AM
That doesn't jive with the link's claim:
This would seem odd if real hackers were attempting a breach though, which does mesh with your version:
(Score: 0, Offtopic) by Anonymous Coward on Sunday February 16 2014, @03:17AM
(Score: 2, Interesting) by soulde on Sunday February 16 2014, @03:31AM
(Score: -1, Troll) by combatserver on Sunday February 16 2014, @03:59AM
Ok, we need some DOWNWARD mod testing. *Takes one for the team*
9/11 was NOT an inside job, and I have proof!
I hope I can change this later...
(Score: -1, Troll) by Anonymous Coward on Sunday February 16 2014, @04:28AM
(Score: -1, Troll) by Anonymous Coward on Sunday February 16 2014, @04:31AM
(Score: 1) by mattie_p on Sunday February 16 2014, @05:12AM