Change your Kickstarter password - they got hacked - Polidicks

[url]http://gizmodo.com/uh-oh-kickstarters-ceo-yancey-strickler-says-that-the-1523614348[/url] [QUOTE]A blog post released today says Kickstarter was first made aware of the hack on Wednesday, and that upon learning of the breach the tech team immediately closed the security vulnerability that allowed it. [B]And while credit card info seems to be safe (Kickstarter says only two user accounts showed evidence of unauthorized activity), usernames, email addresses, mailing addresses, and phone numbers were all exposed in the hack[/B]. And while Kickstarter passwords are encrypted, the company notes that skillful hackers may have the means to crack them. [/QUOTE] If you use the same password for everything and you've got a kickstarter account, get cracking on those password changes. I don't envy you!

Jesus encrypt your shit better kickstarter

Ok, so what "encryption" (i.e. hashing) did they use? I've seen sites claim their passwords are stored securely, just to have it be found out they were using unsalted MD5.

[QUOTE=carcarcargo;43927693]Jesus encrypt your shit better kickstarter[/QUOTE] Encryption != getting hacked. You should know since your on facepunch that this is something every site asks you to do when they get hacked.

[QUOTE=Aide;43927731]Encryption != getting hacked. You should know since your on facepunch that this is something every site asks you to do when they get hacked.[/QUOTE] They said two accounts had already had unauthorised activity, which means someone got through the encryption and got someones password

[QUOTE=carcarcargo;43927693]Jesus encrypt your shit better kickstarter[/QUOTE] They did, this is just precautionary. [QUOTE=carcarcargo;43927741]They said two accounts had already had unauthorised activity, which means someone got through the encryption and got someones password[/QUOTE] Or the passwords were simple ones which were able to be hit with rainbow tables.

Kickstarter is made with Ruby on Rails and they are more than likely using a module like Devise or another similar authentication module. Such modules have been built from the ground up over a long period of time and have become very secure ways to handle authentication on RoR apps. I'm very certain Kickstarter are not storing the passwords as unsalted MD5s or other such forms of encryption.

I went and changed my password, spent the first three minutes thinking someone had hijacked my account because none of my passwords worked and then when I got the right one spent the next two minutes thinking how much of a genius I was that it ended up being a password that I use nowhere else, and so well devised it took me, the creator, three minutes to guess!

Fixed it. Funny thing was, I'd forgotten what my password was anyway and was going to have to reset it no matter what. :v:

Online security is so shit. It's like every few weeks I'm getting an email that another account of mine is at risk.

Oh shit, oh good i used my secondary email account for kickstarter for some reason so i'm not that fucked.

They updated their blog post, they claim to have used salted SHA1 (With a per user salt I think, nice), while "more recent" passwords used bcrypt. Seems they did stuff right.

[QUOTE=No_Excuses;43927895]Online security is so shit. It's like every few weeks I'm getting an email that another account of mine is at risk.[/QUOTE] Yeah, Crydev, Adobe, SMF, and just a bunch of other forums. It's getting ridiculous because in this day and age you have to keep making accounts for different things.

I connected through Facebook it seems (I don't remember if I did or not but it says I did so, you know) so I should be fine.

[QUOTE=TheDecryptor;43928176]They updated their blog post, they claim to have used salted SHA1 (With a per user salt I think, nice), while "more recent" passwords used bcrypt. Seems they did stuff right.[/QUOTE] i like cheese and onion myself

Wouldn't it also depend on how they stored the hashes? I imagine a way people get into these sites after obtaining encrypted passwords is just bypassing the login and sending the hash as if they tried to log in. I don't keep up to speed with this kind of thing, but I'd think if they stored the final hash in the database that the infiltrators got the data from, they wouldn't need passwords (until they re-salt all the hashes or something)

A well written login form shouldn't ever plain hashes, everything entered as a password (even a plain hash) should go through the normal codepath and be hashed. Of course, I don't doubt that at some point somebody suggested allowing the user to submit plain hashes as a "optimisation" method.

Eh i just deleted the whole account.

[QUOTE=mark6789;43930133]Eh i just deleted the whole account.[/QUOTE] and that just magically removes your user from the database dump (if any). Pretty much all sites just flag your account as disabled and keep all the data. The thing that I'm wondering is why law enforcement officials knew about the breach BEFORE kickstarter did and why only two accounts have been allegedly dumped. [quote]On Wednesday night, [B]law enforcement officials contacted Kickstarter and alerted us that hackers had sought and gained unauthorized access[/B] to some of our customers' data.[/quote]

I registered through Facebook so I changed both password. Luckily I use different passwords so they shouldn't get anywhere.

[QUOTE=Marden;43932335]I registered through Facebook so I changed both password. Luckily I use different passwords so they shouldn't get anywhere.[/QUOTE] OpenID doesn't leak credentials, so you've been save the whole time, afaik. [editline]16th February 2014[/editline] Found something in the Gizmodo source, they reset the auth tokens so all Facebook logins are automatically re-secured.

[QUOTE=deadoon;43927750]Or the passwords were simple ones which were able to be hit with rainbow tables.[/QUOTE] Which would mean kickstarter wasn't doing effective salting, which is just as bad.

[QUOTE=Tamschi;43932370]OpenID doesn't leak credentials, so you've been save the whole time, afaik. [editline]16th February 2014[/editline] Found something in the Gizmodo source, they reset the auth tokens so all Facebook logins are automatically re-secured.[/QUOTE] Yeah, they send an email but I think it was time to update passwords anyway.

Start a kickstarter for a better password database

[QUOTE=DrTaxi;43932413]Which would mean kickstarter wasn't doing effective salting, which is just as bad.[/QUOTE] The fact that it's just 2 accounts and the police were the ones who informed Kickstarter makes me think it was a targeted attack. If they weren't salting properly we'd be seeing a lot more than two accounts hit, and since the Police were the first ones to find out points to it being part of an investigation.