Since it announced on Saturday evening that its user database had been hacked — giving cybercriminals access to some personal information for its users — crowdfunding website Kickstarter says it has received thousands of queries from users with questions about the incident.
“We’re incredibly sorry that this happened,” reads the hack-related FAQ on the Kickstarter blog. “We set a very high bar for how we serve our community, and this incident is frustrating and upsetting.”
The company didn’t specify how many accounts had been compromised by the breach, which it detected last Wednesday, but did say that the hackers gained access to some users’ usernames, e-mail addresses, mailing addresses, phone numbers, and encrypted passwords, meaning the hacker would need the key to decrypt all passwords (though guesswork could be employed to access the accounts of users with cruddy passwords).
Even though Kickstarter says no actual passwords were accessed, it is asking all users to reset their passwords out of caution.
Those users who logged in to Kickstarter via Facebook were not part of the breach, but the company has reset all those users’ Facebook credentials just to be safe. A user should only need to reconnect through Facebook the next time they visit Kickstarter.
In terms of credit cards, Kickstarter says no payment information was accessed as it does not store users’ full credit card numbers. It does maintain a database of the last four digits of non-U.S. users’ card numbers and expiration dates, but claims this information was not taken during the hack.