Sign in / up

back to article Who wants to start a Kickstarter for a more secure Kickstarter? Account data hacked

Crowd-funding site Kickstarter is the latest high-profile Internet property to call on users to reset their passwords, after announcing that an attacker had made off with their account records. However, the site is at pains to emphasise that attackers won't have access to credit card data. In this announcement, the company's …

COMMENTS

House rules Send corrections
This topic is closed for new posts.
  1. ckm5

    Mysterious 'frozen card' calls last Thursday...

    I got a couple of 'phishing' phone calls last Thursday & Friday saying my card was frozen and please call X number. My card wasn't frozen, someone was trying to get more info about me and all three of my card providers said that they had a sudden large volume of customer inquiries about frozen cards.

    I wonder if this is related as I have a Kickstarter account and have funded 10+ projects.

    0 0
  2. KjetilS

    Kickstarter is probably correct in stating that the hackers didn't have access to credit card data. Afaik, they use Amazon for the actual transactions, and Kickstarter isn't really involved in processing the credit card payments.

    1 0
    1. frank ly
      Reply Icon

      But,

      "... Kickstarter retains the last four digits of non-US credit cards .."

      So they are involved? Or do Amazon pass this data back to Kickstarter?

      0 0
      1. Anonymous Coward
        Reply Icon
        Anonymous Coward

        Re: But,

        That will explain why I got one from Amazon Payments - last 4 digits right but all the rest was wrong

        0 0
    2. Captain Scarlet
      Reply Icon
      Big Brother

      Amazon

      Only if you are in the US, its definatly changed as a Kickstarter I pledged for a week before didn't go via Amazon. I'm not sure when this changed and who they use (Or whether its themselves) as previous Kickstarters required Amazon.

      0 0
  3. Anonymous Coward
    Anonymous Coward

    Initially, Kickstarter only hosted projects originating from US. These were/are USD based, and use Amazon for actual credit card operations as far as I know. However, KS recently introduced support for projects from other areas (UK / GBP, Canada / CAD, etc.) and payment for these clearly goes through another route (ie. you don't need to log into any external site - like you need with Amazon - to pay). I have no idea if those payments are actually processed by KS itself, a different 3rd party or how exactly it all works, but it does look like FULL credit card numbers might be held by others than Amazon too.

    0 0
  4. rvt

    I hope the passowrds hashed, and not encrypted..

    0 2
    1. ACZ
      Reply Icon

      Passwords were hashed

      I was a bit stressed about what they did with passwords as well - the comment (link below) from a Kickstarter person is that:

      "... we're being very public with how we hashed them: older Kickstarter passwords used using SHA-1 digested multiple times. More recent passwords are encrypted with bcrypt."

      Discussion here - https://news.ycombinator.com/item?id=7245349

      1 0
    2. Old Handle
      Reply Icon

      en·crypt

      transitive verb in-ˈkript, en-

      : to change (information) from one form to another especially to hide its meaning

      What part of that definition does salted hashing not satisfy?

      Anyway it's obvious they were just trying to put it in layman's terms, for the techies they go on to state what hashing algorithms they used.

      1 0
  5. lupine

    just makes me miss the 70s and 80s trial bike TV show.

    especially the episode with the st john ambulance guy repeatedly falling into a hole.

    never pledged...never seen anything of interest the couple of times i've looked.

    0 0
  6. bigtimehustler

    They probably don't process the cards themselves, most payment processors will pass back the last 4 digits of the card, expiry date and address details to the website so that it can be stored for records. As for the encrypted vs hashed argument, that depends on whether the web servers were compromised as well as the data store. You would have to get hold of the encryption key too, otherwise its better than a hash, but if with the inherent problem that if the key is found in your infrastructure then its far worse than a hash.

    0 0
This topic is closed for new posts.

Other stories you might like