Information Kickstarter hacked.

[thesheeep]

Doofuses like these who are careless enough to let their customers data leaked need to be hit with onerous class action lawsuits and be forced to cover real-time credit analysis for years. They'll think twice about skimping on security.

If you really think that any website out there is unhackable or if there is such a thing as total security on the web, you are pretty naive.

That said, of course there are some sites that are much easier to hack than others, and even some that store passwords without encryption. Those should (and afaik can) be made legally responsible for your losses, if any should arise.

 

[Occasionally Fatal]

I use a variety of passwords, but now it's time to probably use a manager.

Anybody have recommendations/feedback on 1Password, LastPass, keepass, or other similar services?

I use Password Safe; it's free and open-source. I didn't mind this hack too much because I used Amazon payments and my password was randomly generated. Pretty great to generate a new random password and update the account, then sit back smugly.

Anyway, further reading if anyone is interested about password breaches and security on the interwebs:
http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/
http://arstechnica.com/security/2013/03/how-i-became-a-password-cracker/
http://arstechnica.com/security/2012/08/passwords-under-assault/
http://arstechnica.com/security/201...-ninjas-choose-and-safeguard-their-passwords/
http://arstechnica.com/information-...ies-random-characters-and-a-password-manager/

 

[Humanity has risen!]

Lastpass is my favorite, it's incredibly convenient.

 

[theSavant]

Congraz I deleted my account. No project there to spend money anyways.

 

[VentilatorOfDoom]

and you probably think by "deleting your account" your userdata disappear from their DB.

 

[Tramboi]

Unfortunately I have dozens of account which use the same email+password combo as the kickstarter site, so I'm not going to go through each and every one of them, to change it. I take my luck and pray that the hackers won't use my data.

KS "only" leaked salted hashes.
The hackers would still have to crack your password, it's definitely not easy if not in a dictionary.
So they won't do it.

It's probably time to use a pw manager, yes

 

[Tramboi]

How do these password apps work? Isn't the app itself a single point of failure problem?

They store a brutally encrypted file with all you password informations.
The single point of failure becomes the master password.

 

[J_C]

Unfortunately I have dozens of account which use the same email+password combo as the kickstarter site, so I'm not going to go through each and every one of them, to change it. I take my luck and pray that the hackers won't use my data.

KS "only" leaked salted hashes.
The hackers would still have to crack your password, it's definitely not easy if not in a dictionary.
So they won't do it.

It's probably time to use a pw manager, yes

Meh, I changed the most important ones anyway. Couldn't sleep if I gave any chance to those scum.

 

[Humanity has risen!]

How do these password apps work? Isn't the app itself a single point of failure problem?

They store a brutally encrypted file with all you password informations.
The single point of failure becomes the master password.

that or potential vulnerabilities in the browser extension or phone app?

You can use 2 step authentication with Lastpass.

 

[Tramboi]

that or potential vulnerabilities in the browser extension or phone app?

Yep, that's possible.

 

[AbounI]

And what about amazon?Is there any risk for the customers who have the same adress for both?After all, hackers can access the bank data via amazon?

 

[St. Toxic]

Unfortunately I have dozens of account which use the same email+password combo as the kickstarter site, so I'm not going to go through each and every one of them, to change it. I take my luck and pray that the hackers won't use my data.

I got this shit today:

We've received a request to access your Steam account from a new browser
located at IP address: 178.94.104.141
Our records show this IP address is in KHARKIV KHARKIVS'KA OBLAST' UA
If that location does not reasonably match your location or the location of your
Internet Service Provider, then follow this link for more information:

So some Ukrainian asshole def. got through to my steam via the kickstarter thing. He shouldn't have been able to access my e-mail which used a different password, but steam suggested that the connection was validated after all, meaning that all of my shit got haxxored. Amazon however seemed untouched, thankfully. Time to update all my passwords, lols.

And what about amazon?Is there any risk for the customers who have the same adress for both?After all, hackers can access the bank data via amazon?

Plenty of risk involved.

 

[Hugstari]

Unfortunately I have dozens of account which use the same email+password combo as the kickstarter site, so I'm not going to go through each and every one of them, to change it. I take my luck and pray that the hackers won't use my data.

KS "only" leaked salted hashes.
The hackers would still have to crack your password, it's definitely not easy if not in a dictionary.
So they won't do it.

It's probably time to use a pw manager, yes

With "special people" breaking encryption using microphones these days, how hard can it really be?

Remembering passwords for me is easy these days, i just pick some random letters\numbers, make sure the browser remembers my password and if for some reason it is lost i just use the forgot my password thingy and get a new random password.

 

[Tramboi]

With "special people" breaking encryption using microphones these days, how hard can it really be?

Quite hard actually with a strong password, so you're right making your passwords random (and not too short, too, is important).

(But microphones are used to communicate (probably) payloads between devices, not to break encryption per se)

 

[Crispy]

Kickstarter should start a Kickstarter to provide Kickstarter with better encryption for their Kickstarter Kickstarters.

 

[theSavant]

and you probably think by "deleting your account" your userdata disappear from their DB.

Usually not, but as I can register with the same email address again under the same/different name I guess they have a better garbage collector than most forum software.

 

[J_C]

So some Ukrainian asshole def. got through to my steam via the kickstarter thing. He shouldn't have been able to access my e-mail which used a different password, but steam suggested that the connection was validated after all,

Didn't they just try to access your Steam account? But they couldn't log in, since they would have had to use your email. I don't think they hacked you.

 

[Septaryeth]

And what about amazon?Is there any risk for the customers who have the same adress for both?After all, hackers can access the bank data via amazon?

Possible, especially if both account have the same email or/and password. (though that's just a bad habit to begin with)
I would suggest you to go to the payment options and delete all your current credit card information right now.
The stupid site somehow always automatically record my information despite me untick the "remember" box EVERY time.

 

[Hugstari]

With "special people" breaking encryption using microphones these days, how hard can it really be?

Quite hard actually with a strong password, so you're right making your passwords random (and not too short, too, is important).

(But microphones are used to communicate (probably) payloads between devices, not to break encryption per se)

Researchers crack the world’s toughest encryption by listening to the tiny sounds made by your computer’s CPU

But yeah this is probably not comparable to the kickstarter hack.

 

[curry]

whew I'm so relieved I never donated on kickstarter

 

[Tramboi]

Researchers crack the world’s toughest encryption by listening to the tiny sounds made by your computer’s CPU

Sorry (and thanks for reposting this) you're totally right, I completely forgot this recent attack.

Though, as you say, it is not the kind of attack they guys who stole the KS data can do.

 

[Jasede]

And what about amazon?Is there any risk for the customers who have the same adress for both?After all, hackers can access the bank data via amazon?

Possible, especially if both account have the same email or/and password. (though that's just a bad habit to begin with)
I would suggest you to go to the payment options and delete all your current credit card information right now.
The stupid site somehow always automatically record my information despite me untick the "remember" box EVERY time.

Hi.
I once worked for PayPal and I assume it's the same for Amazon.

They don't want you to know this but as soon as you enter your bank information or credit card data even once it will never disappear from the records. Also when you delete an account everything stays nicely saved.

 

[theSavant]

Awesome hack method with the microphone. Makes all encryption efforts of the last 10 years useless :p. Maybe next time we buy computers we'll get special "voltage mixers" included so it randomly mashes the signals and the power drawn from the supply whenever password and encryption actions take place.

 

[Septaryeth]

And what about amazon?Is there any risk for the customers who have the same adress for both?After all, hackers can access the bank data via amazon?

Possible, especially if both account have the same email or/and password. (though that's just a bad habit to begin with)
I would suggest you to go to the payment options and delete all your current credit card information right now.
The stupid site somehow always automatically record my information despite me untick the "remember" box EVERY time.

Hi.
I once worked for PayPal and I assume it's the same for Amazon.

They don't want you to know this but as soon as you enter your bank information or credit card data even once it will never disappear from the records. Also when you delete an account everything stays nicely saved.

You have to burst my safety bubble do you
well, thanks for the heads up, somehow I'm not too surprised to hear this.
And bloody hell, I use PayPal too.
I guess it's a no brainer that the crappy NZ trading site I used would do the same shit.

 

[Spectacle]

Awesome hack method with the microphone. Makes all encryption efforts of the last 10 years useless :p. Maybe next time we buy computers we'll get special "voltage mixers" included so it randomly mashes the signals and the power drawn from the supply whenever password and encryption actions take place.

Only if they can actually put a microphone a few meters from your PC. A camera pointed at the keyboard as you type the password will do the same