wk1003mikeIn what seems like an ever-lengthening line of data breaches in recent weeks (This restaurant, this financial services company, and this supermarket have all been breached in the past month), Lifehacker has reported that information from 15 million Kickstarter and Bitly accounts are now available to the public due to a 2014 data breach. The breach itself isn’t new, much like the fresh news about Yahoo’s massive breach, but it’s much less disconcerting. Although the information is now public, it is still encrypted, and both Kickstarter and Bitly took swift action to notify users of the breach when it originally occurred, urging them to change their passwords and nullifying the breach ones if user action was not taken.
Last week, it was revealed that the scope of Yahoo’s 2013 hack was much larger than originally anticipated, affecting a total of 3 billion accounts. Those numbers alone can be pretty jarring comparatively, but the Kickstarter and Bitly breach should still be cause for concern, especially if you’re one to re-use passwords; with the account info now publicly available, if your old Kickstarter password is the same as one of your current passwords, a hacker could easily breach one of your other accounts.
Kickstarter posted an update in regard to the breach information becoming public, excerpted below:
“Once we learned of this problem in 2014, we closed the breach, emailed all of our customers, and posted an alert encouraging everyone to reset their passwords. We’ve invalidated any passwords that weren’t changed at the time. Since 2014 we’ve strengthened our security measures, adding features like two-factor authentication and the ability to see where your account has been accessed.”
Kickstarter mentions “two-factor authentication” in the update, but it’s worth noting that this method is not entirely foolproof. (This is how a hacker can intercept password authentication via text message.) When the breach originally occurred back in 2014, Kickstarter noted in a statement that no credit card data was accessed during the breach.
The new information about the breach was brought to the attention of LifeHacker by Have I Been Pwned, a breach notification service. (Have I Been Pwned also can make sure you have a foolproof password safe from hackers.)