By Graham K. Rogers

On Sunday morning, one of the first emails I saw was from Kickstarter. I was expecting news on a project I had backed, but the message told me that the site had been hacked and user passwords had been stolen. As a precaution, it urged users to login and change their passwords. It included this,

While no credit card data was accessed, some information about our customers was. Accessed information included usernames, email addresses, mailing addresses, phone numbers, and encrypted passwords. Actual passwords were not revealed, however it is possible for a malicious person with enough computing power to guess and crack an encrypted password, particularly a weak or obvious one.

Although it was genuine, the email had some of the signs of a classic phishing exercise, so I first checked the links in the message. As the cursor was over each of them, so what appeared to be a real link to Kickstarter appeared.

Nonetheless, I used a browser to access the site by typing in the URL. I did not link using the email.

Once in, there was a banner with information about the attack, and as I could access all of my usual data, I logged out, then logged back in again before changing the password. For this, I used a new password generated by OS X. At the same time, I disconnected access from Facebook.

It took a couple of days for Kickstarter to send out this information while they were fixing the breach (it has only just appeared in HackerBot for example) and perhaps trying to track down those responsible for the breach.

Graham K. Rogers teaches at the Faculty of Engineering, Mahidol University in Thailand where he is also Assistant Dean. He wrote in the Bangkok Post, Database supplement on IT subjects. For the last seven years of Database he wrote a column on Apple and Macs.