Doing It Right When Security Fails

I just got an email from Kickstarter, the popular crowdfunding platform. They were writing to let their users know that they’ve joined the ranks of the companies who’ve suffered a data compromise.

I hope that they’re well-treated by their users during this crisis, because they’re doing a really good job.

Their email clearly specified the data elements that were compromised: usernames, email addresses, mailing addresses, phone numbers, and encrypted passwords. Since their passwords were encrypted, they elaborated that “actual passwords were not revealed, however it is possible for a malicious person with enough computing power to guess and crack an encrypted password, particularly a weak or obvious one.” They made it clear that no credit card/payment information was revealed in any form, encrypted or otherwise.

I’m not thrilled to have this information out there, of course, but the specificity of this disclosure is refreshing. This is a lot better than hearing that “personal information but no payment information” was compromised, as is more typical in this sort of situation.

They provided an email address for comments and questions. Security geek that I am, I wrote to ask them whether their encrypted passwords were “salted,” which refers to a technique that makes brute-forcing encrypted passwords much more difficult.

I thought I’d most likely get a form-letter response that didn’t really answer the question, some sort of cagey “no comment,” or complete radio silence.

I was pleasantly surprised to get an email just a few minutes later with a very specific answer to the question I’d asked. It turns out they do use hash salting in a smart way, making it much, much harder for an attacker to crack encrypted passwords. They even updated their blog posting with these details after I asked my question.

It’s refreshing and commendable that Kickstarter’s communication has been so forthright and clear. But it’s also important to note thatĀ they planned for this when they designed their system. Nobody wants to be the victim of a data compromiseā€”but it happens. Kickstarter’s design has greatly limited the damage that will result.

So, I hope that Kickstarter users aren’t too frightened as a result of recent events. Their thoughtful design and forthright disclosures suggest they’re worthy of continued trust.