
Important Kickstarter Security Notice - citricsquid
https://www.kickstarter.com/blog/important-kickstarter-security-notice
======
tptacek
Will you at some point consider telling us how the compromise happened? This
information is useful even at a very high level; it's useful to know whether
companies are breached by leaked admin passwords, or inadequately protected
admin consoles, or in-app appsec faults like SQLI.

Best of luck dealing with this incident. You're in great company,
unfortunately. :|

~~~
mecredis
Thanks for the good wishes.

Yes, we're hoping to do a post-mortem soon on our engineering blog, so that
others can learn from our experience.

~~~
tptacek
That's generous of you, and I appreciate it.

~~~
victor9000
The sentiment of your comment is that transparency is somehow generous; and I
could not disagree more. As user whose information has been potentially
compromised, i expect nothing less.

~~~
patio11
You can expect whatever you want, but the norm in industry is for that sort of
information to end up in a silo inside the company, and external exposure to
it is permitted only under NDA or equivalent guarantees (e.g. sharing with law
enforcement).

What you urgently want is a cultural change on behalf of industry. This guy is
part of the change you want. Biting his fingers is not the optimal path to
accomplishing your goals, even if it is viscerally satisfying.

~~~
toomuchtodo
Perhaps regulation needs to move from mandatory disclosure when credit
card/payment data is leaked/lost to mandatory disclosure when credential data
is lost as well.

I too want urgent cultural change on behalf of industry; I'll settle for
regulation though.

~~~
tptacek
Be careful what you wish for. Very few practitioners in this industry really
understand what kind of regulatory honeymoon they're enjoying right now. Given
the impact of the work we do to society, it is kind of a miracle we don't all
have to be certified.

~~~
toomuchtodo
Should we not make more effort to self-govern then? And not think it a gift
when someone does a breach post-mortem?

------
carbocation
From here forward, I will consider any disclosure involving stolen passwords
that does not include a description of the password hashing/encryption/etc
mechanism to mean "plaintext-equivalent passwords were taken".

 _Edit_ : Changed "plaintext passwords were taken" to "plaintext-equivalent
passwords were taken"

~~~
mecredis
Hi, I work at Kickstater. When communicating with millions of people its
important to balance technical explanations against the desire to communicate
your message in common sense terms.

That said, we're being very public with how we hashed them: older Kickstarter
passwords used using SHA-1 digested multiple times. More recent passwords are
encrypted with bcrypt.

~~~
danpalmer
Can you update the blog post to _remove_ the wording "encrypted". That is
simply incorrect. There is a clear and incredibly important difference between
hashing and encrypting, the latter being designed to be reversible.

I'd appreciate a description of the hashing algorithm being added to the blog
post, but that's less important.

If you say "encrypted", I read that as "somewhere we have a key that gives the
attacker plaintext passwords, they might have that key as well".

~~~
tptacek
This wouldn't be pedantic if we were discussing communications between
cryptographers and other technologists, but this is a public notice, and so
the point is very pedantic. For all intents and purposes, the password hash or
authenticator of a password _is_ its "encryption", in the layperson's sense.

~~~
larrys
Exactly.

In business the "simplicity abstraction layer" [1] on a product is essentially
taking something that was created by hackers for hackers (or engineers) and
making it simple for end users "the layperson".

God knows anytime you can make something easy for a layperson and not make
them think there is money to be made. They aren't interested in your Liebert
fire protection system and diverse path routing.

It never fails to amaze me how highly technical types simply can't think out
of that box. And yet they make fun of "sales types" that can actually speak
and sell to end users an inferior product.

[1] I actually just made that up.

------
mecredis
Hi! I work at Kickstarter. To answer everyone's question regarding the
encryption used for our passwords: old passwords used salted SHA1, digested
multiple times. More recent passwords use bcrypt.

~~~
RyanZAG
Thanks for the info, salted+multiple digest means this isn't nearly as bad as
it could be.

Any chance you could give us information on what kind of attack vector was
used?

~~~
tptacek
That depends on the value of "multiple". If multiple means thousands, that's
one thing; if it means tens, it's pretty bad.

------
larsberg
Ugh. That reset procedure did not play well with LastPass.

I logged in (old password), hit change password (old password), then had
LastPass generate a new password, which it handily saved over the old one in
LastPass. Hit Save. And then the site asked me for the old password a third
time.

Whoops! I don't have that anymore...

~~~
jyxent
Ha ha. I did the same thing. If you edit your password in Lastpass, there is a
history option that will show your old passwords.

~~~
thaJeztah
1Password also has a 'history' for previous passwords

------
dublinben
>For additional help with password security, we recommend tools like 1Password
and LastPass.

It's really too bad that they are recommending expensive, proprietary,
commercial apps for this when free, open source alternatives like KeePass
exist. If users are unconvinced on the value of a password vault, charging
money for it certainly isn't going to encourage adoption.

~~~
Houshalter
How secure is that? Couldn't they just as easily figure out your KeePass
password (providing they know you are using it, and that reversing the KeePass
hash isn't any more difficult than reversing the normal one.)

~~~
euank
No, they can't. The websites allow anyone in the world to make a guess at a
password. Keepass doesn't since it requires having the private database file
which you store locally.

The websites allow for a vulnerability in third party code to expose you.
Keepass, even if it has a vulnerability, can't be exploited remotely since the
database is stored only locally.

The websites are in the browser and encourage browser extensions. Browsers
suck for security... that's a massive attack surface and they are, by their
nature, integrated with the network. Keepass is a dedicated application with a
tiny surface that barely communicates with the internet at all and has no need
to. A whole class of attacks miss it.

Keepass is leaps and bounds more secure.

~~~
Houshalter
Yes it is secure in that area, I mean for the specific attack this post is
about where a hash of your password is hacked. All keepass would do is make
your password the product of two hashes instead of one. I wasn't sure if that
was that significantly more secure (if it was why aren't websites doing it
automatically?)

Of course that implies the attacker knows you used KeePass, security through
obscurity and being in the minority should protect you.

~~~
mpeg
No, the point is not to make your password more secure in case of a data
breach like this (although it can, since you can store a password that is very
long and composed of random characters)

The idea is that even if your password for kickstarter gets compromised, since
you are using a password manager that password should only ever be used in
kickstarter, so you can just change your password there and carry on

------
arjn
I'm pretty active on Kickstarter, backing multiple projects.

What's really worrying is that the Kickstarter folk didn't detect the breach
themselves. It was law enforcement (I'm assuming FBI) who contacted them about
it.

On the security notice, Kickstarter writes they "set a very high bar" on how
they serve their community. What a load of crock!. If they had a high bar this
would never have happened. I wish they wouldn't rub salt in the wound by
publishing such blatant rubbish.

I'm extremely disappointed with Kickstarter right now.

~~~
couchdive
Exactly. You are in horrible shape if it's the police alerting you to this. My
policy is "You lose my info, you lose my business". I deleted my account.

~~~
__pThrow
I was about to change my password, when I saw "delete my account" was on the
same page.

On the one hand, that's a gutsy and convenient UI.

However, I immediately chose to delete my account.

------
larrys
"No credit card data of any kind was accessed by hackers. "

Ironically there is at least a clearly defined system and procedure setup to
mitigate a stolen credit card number. Essentially most if not all credit card
companies will wipe out any malicious charges and cheerfully replace your
credit card. And hopefully if you have more than one card that's not even a
problem that you have to wait.

All the other information though that is:

"some information about our customers was. Accessed information included
usernames, email addresses, mailing addresses, phone numbers, and encrypted
passwords"

...well to me that's actually more of an issue. Ironically.

------
f055
What about the people who logged in via Facebook? (i think they don't setup
passwords) Are access tokens compromised?

~~~
mecredis
We have reset all Facebook login credentials.

~~~
rainforest
Does that mean that Facebook will revoke them, or are they useless to an
attacker?

~~~
shdon
It means the tokens are no longer valid. It's as if the user has disconnected
the Kickstarter app from their Facebook account. To log in with Facebook
again, they have to reconnect, thus generating a new token.

------
areeb
Here's the mail:

On Wednesday night, law enforcement officials contacted Kickstarter and
alerted us that hackers had sought and gained unauthorized access to some of
our customers' data. Upon learning this, we immediately closed the security
breach and began strengthening security measures throughout the Kickstarter
system.

No credit card data of any kind was accessed by hackers. There is no evidence
of unauthorized activity of any kind on your account.

While no credit card data was accessed, some information about our customers
was. Accessed information included usernames, email addresses, mailing
addresses, phone numbers, and encrypted passwords. Actual passwords were not
revealed, however it is possible for a malicious person with enough computing
power to guess and crack an encrypted password, particularly a weak or obvious
one.

As a precaution, we strongly recommend that you change the password of your
Kickstarter account, and other accounts where you use this password.

To change your password, log in to your account at Kickstarter.com and look
for the banner at the top of the page to create a new, secure password. We
recommend you do the same on other sites where you use this password. For
additional help with password security, we recommend tools like 1Password and
LastPass.

We’re incredibly sorry that this happened. We set a very high bar for how we
serve our community, and this incident is frustrating and upsetting. We have
since improved our security procedures and systems in numerous ways, and we
will continue to do so in the weeks and months to come. We are working closely
with law enforcement, and we are doing everything in our power to prevent this
from happening again.

Kickstarter is a vibrant community like no other, and we can’t thank you
enough for being a part of it. Please let us know if you have any questions,
comments, or concerns. You can reach us at accountsecurity@kickstarter.com.

Thank you,

Yancey Strickler Kickstarter CEO

------
huhtenberg
1\. Have you leaked physical addresses that were provided to completed
projects for shipping of the rewards?

2\. Given the wording - "access to _some_ of our customers' data" \- will you
provide a way to check if specific account was affected? Or was it "possibly
all customer data"?

Thanks

------
sillysaurus2
Ah yes, here's another website that stores "encrypted passwords." What's an
encrypted password, again?

More seriously, why is the social convention to lie in these situations? Why
not just say what methods they were actually using?

I suppose it's possible they were storing encrypted passwords. But then an
attacker would be able to break all of them at once.

~~~
kenrikm
Hashed Passwords, layman don't know what a "hash" is so they use the term
encrypted since most people know what that is (even if it's incorrect
terminology) It's pretty clear when they say that a weak or obvious password
would be easier to crack, hash tables.

~~~
sillysaurus2
True, but we'll never know if they used unsalted SHA1 or scrypt. Is there no
value in putting a technical note at the end of press releases like this?

~~~
mecredis
sillysaurus2: We used SHA1, see my comment above.

------
mcgwiz
I had an incensed reaction to their email, which had only stated that the
passwords were "encrypted". Not until I searched these comments here for the
text "encrypt" did I learn that they actually hashed with bcrypt.

I humbly suggest all security notices like this that are sent in the future,
if written with the word "encryption" rather than "hashing" for the
layperson's sake, have an asterisk next to the word "encryption". At the
bottom of the email, the explanation "hashing with {{algo}}" where "hashing"
links to [1] would be included. Laypeople get their simple explanation,
technical people don't get too angry. And some laypeople may click through the
link and learn something.

[1]
[http://en.wikipedia.org/wiki/Cryptographic_hash_function#Pas...](http://en.wikipedia.org/wiki/Cryptographic_hash_function#Password_verification)

------
LukeB_UK
Why did law enforcement officials have to tell them that they were hacked?
Surely they should have mechanisms in place to detect this themselves?

~~~
toyg
Likely somebody got their hands on a bunch of files as part of some other
investigation, and found they were the kickstarter's user db.

It is indeed troubling that KS didn't detect the breach in the first place (or
if they did, they kept it mum until forced by the authorities).

~~~
cpach
If the intruder is sophisticated enough they can find a way to fly under the
radar.

------
akerl_
Has anyone received this as an email (or any other notice besides reading it
on their blog / news sites)? It looks like it may have been emailed to people
running Kickstarter campaigns, but this really ought to be sent to all people
with affected information (which sounds like all users). If they don't do that
and/or expire passwords currently stored to require that users reset them,
it's highly likely that a lot of users won't ever notice or change their
credentials.

EDIT: I did just talk to someone who is not a campaign owner and received an
email regarding this, so it does look like they're in flight.

~~~
mecredis
We've sent an email to all affected users. They're just taking their time to
arrive across the net.

------
beefsack
When will big companies value personal information enough to encrypt it along
with credit card information and hashing passwords? We encrypt all personal
information at Miniand, and I do realise it makes it very difficult to query
data, but I believe that's an inconvenience that needs to be accepted.

------
yeukhon
_We recommend you do the same on other sites where you use this password. For
additional help with password security, we recommend tools like 1Password and
LastPass._

Please don't make such recommendation. This won't change the fact that
password is stored in your database. In a security breach, don't ever make
such recommendation.

In fact, the alert doesn't tell me exactly what happened. Are just two
accounts stolen from phishing attack? Or was it a server breached? We need
that detail.

For disclosure, please do the following:

1\. time of incident reported and the time of impact.

2\. how the incident was reported

3\. the severity of the incident

4\. how the incident happened

5\. resolution

I don't mind having a first notice and then follow up by a more detailed post,
but don't forget...

~~~
tptacek
Huh? I don't follow this at all. Why should they not recommend password
managers? More people should, in fact, be using them.

We'd all like answers to every question we could have about the compromise. As
you can see upthread, they've already committed to providing some of those
answers. In the meantime, they're probably slammed with other things, and you
aren't actually entitled to answers to all of your questions. You are
obviously free to take your business elsewhere if their answers aren't
satisfactory.

~~~
yeukhon
Sorry, while you are certainly more knowledgeable about security, I have to
disagree with you.

We don't yet know what is going on and recommending password manager makes no
sense until we know the actual problem. And deferring security breach to an
external tool is not a recommendation anyone should make.

So having a password manager would solve a SQLi? It might be the case that
this is just some stolen account from phishing attack. But do we know? We
don't. So now using LastPass makes the user more confident about his or her
password security inside KickStarter? How can anyone be happy with that
conclusion?

Secondly, password managers don't make your password more secured. Maybe I
should rephrase: don't even consider any online password manager. Storing
multiple passwords in a single database that someone else owns? I don't see
how that's going to make me feel better about password security. If anything,
decentralized means we don't give a single person all the identity. Now we do.
We tell LastPass here are the list of passwords I use. Great. I probably will
be slightly happier with an offline password manager, but in the end, your
brain can function and scale better than a service.

Sorry, fundamentally and practically I will have to disagree with you. And I
stand by my own view and there is nothing wrong with my view and any downvote
just seems ridiculous. In fact, I think people should think deeply before
utilizing ANY password manager. If you have a security breach, focus on
disclosure and tell people what went wrong because that's the only thing can
tell people how to do better with their account.

~~~
tptacek
Nothing in this comment constitutes an argument for password managers being a
bad thing, or even simply not an unalloyed good thing. I am if anything more
confused about what your argument is now.

------
Rapzid
"however it is possible for a malicious person with enough computing power to
guess and crack an encrypted password, particularly a weak or obvious one."

Aaaannnnddddd I'm guessing they lost the salt >.<

------
Ssyeo86
Already got got hit with a PayPal phish trying to get my PayPal password.
Clearly they are different... But seeing as they had my email they tried.

~~~
hga
I own my domain, and use distinctive user names for registering at sites like
this. I'll have to start checking my spam folder for the address I used (which
I hadn't just cleaned it out...).

------
devinegan
Time to get LaunchKey ([https://launchkey.com](https://launchkey.com)).
Seriously, any Kickstarter employee wants to talk about integration and
protecting users contact us. LaunchKey is password-less multi-factor
authentication. These user data breaches don't have to include the password
hysteria and weaknesses.

~~~
urethra
lol you are shit at selling

------
rybosome
Didn't store my credit card info with them, used a long, random, unique
password from a password gen, not terribly concerned. The peace of mind this
buys me is absolutely worth the hassle of setting it all up, and the
accusations of paranoia from more relaxed friends and family.

------
cpach
So I received a mail from Kickstarter and I changed my password and went on
with my life. I don’t think the intruder will find any use for the bcrypt
hash[+] of my password. Especially as that password has never been used for
any other site.

[+] Or whatever the cryptograhpers call it :)

~~~
masklinn
Still changed mine:

* Changing it is pretty much trivial: generate new password, plug in site, save

* I may have set it before KS started using bcrypt, and I'd rather not have third parties log in my KS account, even if (as far as I can see) there's nothing they can do with it

~~~
cpach
Yeah, I changed my password as well. A good thing with randomly generated
passwords is that one doesn’t really grow that attached to them ;-)

------
ameen
As a longtime Kickstarter user, I'm going to have to delete my account. If
they couldn't handle security and rake in Millions if not Billions in annual
revenue. What else were their priorities?

If my security is an afterthought to you, then you don't deserve my business.

~~~
tptacek
That'll sure show them. Next time, I'm sure they'll start a business that does
security better than any other company in the world, including banks, payment
processors, the NSA, &c. Since, after all, that's apparently where the bar is
set.

~~~
ameen
I wouldn't have cared if it was just CC info that had been leaked as I
could've easily remedy that. My personal info + password hashes are what
pushed me over to this decision. I've personally given them over thousands of
dollars of business and was helping others launch their projects on there.

------
Ladeeda
How can snail mail addresses and phone numbers be obtained through
kickstarter, since credit card info is 'safe'? Are there instances, other than
customers providing this information for rewards to be sent, in which this
information can be accessed?

------
Ladeeda
Since credit card info is safe, is there a way for names, addresses and phone
numbers to be obtained through kickstarter other than through customers
providing it to projects so they can have rewards sent to them?

------
aaronsnoswell
When the data that was stolen crops up on a forum somewhere, can someone
please make one of those stub-websites that helps you check if you got stung
by the breach?

------
daigoba66
How is it that databases of password hashes can be stolen in te first place?
It seems that you need a pretty severe firewall and server breech for that to
occur.

~~~
anaphor
Usually because the password database is able to be compromised by some code
injection bug (e.g. SQLi). In order to prevent this you should be using a
library the makes it impossible to mix code and input data like that.

------
nodata
So how do I reset my name and address?

------
Kiro
Why is bcrypt better than SHA-1?

~~~
shdon
SHA-1 has been considered weakened since 2004 and it is recommended not to use
it in new cryptosystems. It's not the worst hash out there, by far, but it can
be calculated relatively quickly which may make finding collisions easier as
new insights and faster technology becomes available. Bcrypt has a variable
number of iterations in the algorithm. Increasing the number of iterations
makes the hashing a lot more computationally intensive. Sufficiently so to
make brute force attempts intractable for now. And even when somebody has the
computing power to easily calculate your hash, increasing the number of
iterations will negate that advantage.

------
areeb
I got a mail from them about it.

------
robomartin
KS FEATURE REQUESTS:

I was trying to go 60 days without posting on HN. I't been 42 days. This is
important enough to break my silence and at least make a request.

Kickstarter: You deal with personal and financial data. Could you please
enable two things for those of us who understand security issues and want
better security:

1- Give me the option to not use my email as the login user id.

I've warmed-up to the idea of using randomized user names on sites that allow
it. Something like "aoc4sour*!Z". On such sites I have completely different
and randomly generated user id's and passwords. Pretty much impossible for an
intruder to associate those accounts with any other accounts.

...unless...

They can access personal information such as real name, email, mailing
address, phone and other personal identifying data that could contribute
towards social engineering into other sites.

hence...

2- Please enable an option to choose two factor authentication.

This should be there as a firewall to access any personal data at all, even
email and real name. It should also be required for any financial transaction,
including pledging any amount on a project.

I'd say make it optional because the less informed (or less paranoid) might
not want to bother.

finally...

3- I love questions such as "What's the name of your first pet?". How about
some of those?

I am being a bit sarcastic here. When answered honestly these questions are
really dangerous. It doesn't take a lot of social engineering to figure out
most of them when armed with enough personal data.

However, I like to answer such questions with a random set of words. So, the
name of my first pet might be "blue ladder tent aquifer". In other words,
pretty much impossible to guess even if I gave you access to my facebook and
linkedin accounts.

When used in this fashion these questions, I think, are actually useful. I'd
venture to guess that most people don't do it this way because they don't
understand the implications of providing straight answers.

These kinds of breaches have been accelerating. At least that's the feeling
I'm getting. This to the point that I had a sit-down security meeting at home
to make sure everyone at home understands what's going on and the fact that we
need to make sure we use different passwords for every site and service and
even different user names where possible. Pain in the ass but far less so than
having your life turned upside-down by one of these idiots.

Any thoughts, comments or improvements on the above will be highly
appreciated.

BACK TO LURKING:

In the meantime, I am going to see about going back into mostly lurking mode
on HN. I found it quite revealing to take a real break from reading and
posting on HN. For the last 42 days I've checked HN's first page nearly daily
and only scan a few threads very quickly, dismiss most of them and refrain
from posting comments (until this one).

ON ANOTHER TOPIC: HELL-BANNED?

I wanted to initiate a thread to share my observations and reflections after,
well, now 42 days of just glancing at HN and not posting. However, either I am
the subject of a strange hellban or something is broken. I can post comments
all I want but I don't seem to be able to start new threads. Not sure how to
fix it. Too bad.

~~~
jacquesm
> I can post comments all I want but I don't seem to be able to start new
> threads.

Join the club.

~~~
robomartin
Well, I know why it happened. And rightly so.

I got too involved in a number of threads involving politics. I probably went
counter to the ideology supported by those moderating HN and eventually got
chopped-off at the knees.

I say "rightly so" because after taking a 42 day break from HN I look back at
this community with different eyes. It should be about tech and startups with
as little extraneous stuff as possible. That's where HN delivers value.

Taking several steps back and looking at what I've seen over the last 42 days
it is obvious that most discussions that stray far away from tech are pretty
much pointless whining from one side or the other of the argument. Most of
these are a total waste of time. In a lot of cases they blow out of proportion
because the average HN poster/reader is younger and lacking enough real-world
experience. So you have worlds colliding with nothing of any measurable use
being produced.

Even with technical discussions there's a lot of wasted typing on HN. Everyone
is responsible of this to one extent or another. I am not excluding myself
from any of these characterizations. Over the last 42 days I've clicked
through threads and, more often than not, I tend to dismiss them as "typical
difficult programmer nit-picking" which is what I typically see when
discussions between programmers turn into endlessly going back and forth on
fundamentally insignificant details. Programmers are some of the most
difficult people to argue with. It must be the automatic "if-then-else" and
"switch" statements that you develop over the years.

Anyhow, it sucks to be able to comment but not initiate threads. On the other
hand, it's also a nice way to limit the time one devotes to such things. Would
I like to have my thread starter privileges restored? Of course. Am I going to
get into political or minutiae discussions? Nope. Waste of time, for all
involved.

~~~
jacquesm
Spot on. For me it's simple: I should care less, not more about these things.

Thanks for the extensive comment, apologies for not responding earlier (on
assignment).

