Kickstarter asks million to change passwords, provides no explanation

About 10% of Kickstarter's entire user base received password reset emails

Image:
About 10% of Kickstarter's entire user base received password reset emails

Kickstarter told users it is simplifying its login process

Crowdfunding giant Kickstarter has emailed around 5 million members to ask them to change their passwords.

As reported by TechCrunch, Kickstarter said it was 'simplifying its login process' and that the recipients should set a new password for their account.

The company provided no other explanation for the request, and neither Kickstarter's website nor its social media feeds make any mention of the mass password reset.

Users shared concerns about a potential security breach in response.

Kickstarter spokesperson Kate Bernyk told TechCrunch the company had not been hacked, and that the organisation was encouraging users to set a password for their accounts if they had not already done so.

This includes users who initially created their accounts using only their Facebook login information.

Kickstarter has about 50 million users, so the 5 million who received emails represented about 10% of its entire user base.

Several users who received emails speculated that the messages were part of an effort to phish for credentials by malicious actors.

This comes after a data breach on Kickstarter in 2014, when hackers stole data on millions of user accounts.

The firm learned about the security breach only after law enforcement reported the issue to them.

Usernames, email addresses, postal addresses, phone numbers, and encrypted passwords were among the information that was compromised, although the company did not reveal how many accounts were affected.

Last year, it emerged that information from millions of Kickstarter accounts was available to the public due to the 2014 data breach.

The firm says it has increased its security measures since 2014, by implementing new features such as two-factor authentication and the ability to track the locations from which a user account has been accessed.

Earlier this month, researchers at cybersecurity firm Zscaler's ThreatLabz uncovered a new widespread phishing effort that targeted Microsoft email users and used an adversary-in-the-middle (AiTM) technique to bypass MFA protections.

Microsoft released details of a similar campaign in July, which exploited the AiTM technique to bypass MFA and targeted more than 10,000 organisations.