Millions of Accounts From Previous Bitly and Kickstarter Breaches Exposed

It’s another day with yet another story of a data breach affecting millions of users around the world – This time, the targeted platforms are Bitly and Kickstarter.

Bit.ly

Troy Hunt, an IT security researcher and founder of breach notification website HaveIBeenPwned (HIBP) has discovered that Bitly, a URL shortener service provider was compromised back in May 2014 exposing over 9 million accounts of registered users. As a result, usernames and encrypted passwords were breached.

In response to Troy, Bitly claimed in a tweet that “3rd-party service recently shared a data compromise that affected Bitly in 2014. No current security threat; no action required.”

In May 2014 however, Bit.ly had already sent email notifications informing users about the breach. In a blog post on MAY 8, 2014 Mark Josephson CEO of Bit.ly wrote that “We have reason to believe that Bitly account credentials have been compromised; specifically, users’ email addresses, encrypted passwords, API keys and OAuth tokens. We have no indication at this time that any accounts have been accessed without permission.”

Kickstarter

Kickstarter is the New York-based public-benefit corporation that maintains a global crowdfunding platform focused on creativity. The platform is being utilized by millions of people however the bad news is that Kickstarter also suffered a massive data breach in 2014 which exposed 5.2 million accounts in which usernames and encrypted passwords were stolen.

Like Bit.ly, Kickstarter also acknowledged the incident back in February 2014. In their official blog post, Yancey Strickler, the founder of Kickstarter wrote that “law enforcement officials contacted Kickstarter and alerted us that hackers had sought and gained unauthorized access to some of our customers’ data. Upon learning this, we immediately closed the security breach and began strengthening security measures throughout the Kickstarter system.”

“No credit card data of any kind was accessed by hackers. There is no evidence of unauthorized activity of any kind on all but two Kickstarter user accounts.”

Not only that, after Troy’s tweet; the company updated its blog post on October 6, 2017, and stated that: “Some of our customers are hearing about our 2014 security breach today from a breach notification service” […] “There’s no new information today that changes what we shared in 2014.”

Although both breaches took place three years ago, users of both platforms should once again change their passwords since the data is now publically available. This poses a security and privacy threat to victims since cybercriminals can use the data for identity theft and other scams.

Troy also tweeted that ReverbNation, an online platform that provides tools and opportunities for musicians to manage their careers also suffered a data breach in January 2014 exposing 7 million accounts. Furthermore, 27,000 email addresses belonging to the customers of DDoS prevention service Staminus were also exposed in March 2016.

It is also advised that users should use a strong password, make sure not to sign up for 3rd-party services with their work or personal email and use a dummy email account for such purposes. Remember, just a couple of days ago it was revealed that web commenting system Disqus was also hacked back in 2012 affecting 17.5 million users.

Also, visit HaveIBeenPwned to check if your email account was among other data breaches or not.

Waqas

Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.