Crowdfunding platform Kickstarter has revealed that it was hacked last week, and while the data breach did not affect credit card information, the personal data of millions of users is potentially at risk.
"While no credit card data was accessed, some information about our customers was. Accessed information included usernames, email addresses, mailing addresses, phone numbers, and encrypted passwords," Kickstarter's CEO Yancey Strickler said on the Kickstarter Blog.
"Actual passwords were not revealed, however it is possible for a malicious person with enough computing power to guess and crack an encrypted password, particularly a weak or obvious one."
While the website has not confirmed how many users have been affected, it did reveal that the hackers succeeded in breaching the security of two accounts. Kickstarter says it has reached out to these users though hasn't revealed their identities.
As a precaution, Kickstarter has suggested all users change their passwords and consider using cloud-based password management services such as LastPass or 1Password that locally encrypt login details for multiple websites and store them in an account managed by one master password.
Kickstarter says that it discovered the hack on Wednesday night after law enforcement officials made contact with the company. However Kickstarter only decided to break the news to users on Saturday after it had completed its investigation into the breach.
Kickstarter only stores the last four digits and the expiry dates on credit cards used to make pledges on projects outside the US.
Kickstarter says that its older passwords were securely encrypted multiple times using SHA-1, a secure cryptographic hash function devised by the NSA.
More recent passwords on the website were encrypted using bcrypt, a function that prevents hackers from using rainbow tables to crack password databases.
"We're incredibly sorry that this happened. We have since improved our security procedures and systems in numerous ways, and we will continue to do so in the weeks and months to come," Strickler said.
Since the blog post went live on Saturday evening, Kickstarter says that its team has responded to over 5,000 security enquiries from users.
Kickstarter is the world's largest crowdfunding platform. Launched in 2009, there's since been 56,000 creative projects funded on the website, with pledges totalling $978 million.
Last week Forbes.com was hacked by the Syrian Electronic Army (SEA), which targets high profile media outlets that have posted critical coverage of Syria that the hackers dislike.