Cyber Incident Victim: Kickstarter

On February 16, 2014, Kickstarter publicly disclosed a security breach after law enforcement officials alerted the company to unauthorized access on Wednesday of that week. The crowdfunding platform confirmed that attackers had obtained personal customer data, including usernames, email addresses, mailing addresses, phone numbers, and encrypted passwords. Kickstarter immediately closed the security breach upon discovery and initiated efforts to strengthen its security infrastructure. The company emailed users on Saturday night urging password changes, though it emphasized no credit card data was compromised in the incident. According to Kickstarter’s investigation, only two instances of unauthorized account access occurred as a result of the breach. The company’s blog post stated it had launched in 2009 and accumulated over 5.6 million user accounts by the time of the intrusion.

Kickstarter characterized the breach as “frustrating and upsetting” in its public statement, apologizing to users while detailing ongoing security enhancements. The organization collaborated with law enforcement agencies to investigate the incident and implemented procedural and technical improvements to prevent recurrence. No specific details about the attackers’ methods or the duration of system access were disclosed. The compromised encrypted passwords raised concerns about potential decryption attempts, though Kickstarter did not specify the encryption standards used. Impacts extended to all users whose personal information was exposed, though financial data remained unaffected. The company committed to continuous security upgrades in subsequent months while maintaining its operational services throughout the response period.