Kickstarter is recommending that users change their passwords after hackers gained access to customer data earlier this week, Reuters reports. While the passwords were encrypted, it’s still possible for them to be decrypted through brute force methods.

Kickstarter

“No credit card data of any kind was accessed by hackers. There is no evidence of unauthorized activity of any kind on all but two Kickstarter user accounts,” said Kickstarter Chief Executive Officer Yancey Strickler. The two users whose accounts showed unauthorized activity have already been contacted by Kickstarter.

Kickstarter doesn’t store full credit card numbers

Kickstarter says that it has fixed the security flaw that allowed the breach, without specifying what went wrong, and said that they are working with police to investigate the attack. Strickler’s blog post also said that the company doesn’t store full credit card numbers. For pledges to projects in the US it uses Amazon’s payment system, and for pledges to projects outside the US it only stores credit cards’ last four digits and expiration date, although this data was also not compromised by the attack.

Kickstarter all reset all Facebook credentials, since many people access the site through their Facebook account, although reconnecting them should be straightforward.

Kickstarter limited the impact of the attack

While every high profile attack renews concerns about cybercrime and raises questions about who should be responsible for damages in cases where credit card information is compromised (the customer, the issuing bank, the site that was hacked), it looks like Kickstarter has handled security well in this instance. They aren’t any obvious lapses of judgment, like the time it turned out Sony had been storing user passwords in plaintext, and the decision not to store too much financial information on their own database shows they had already made plans to limit the impact of an attack.

In a nod to people’s continuing terrible password habits, Kickstarter recommended “that you create a new password for your Kickstarter account, and other accounts where you use this password.” It’s no secret that people still use weak passwords, and reuse them at multiple sites to make them easier to remember, even though this leaves them vulnerable to having multiple accounts compromised from a single attack, but the difficulty of remembering a large number of strong passwords is too much to expect from millions of people.