Kickstarter Bug Leaves 70k Projects Exposed Online
On Friday one of our engineers uncovered a bug involving Kickstarter's private API, which is used to display projects on the Kickstarter homepage. This bug allowed some data from unlaunched projects to be made accessible via the API. It was immediately fixed upon discovering the error. No account or financial data of any kind was made accessible.
The bug was introduced when we launched the API in conjunction with our new homepage on April 24, and was live until it was discovered and fixed on Friday, May 11, at 1:42pm. The bug made accessible the project description, goal, duration, rewards, video, image, location, category, and user name for unlaunched projects.
Based on our research, the overwhelming majority of the private API access was by a computer programmer/Wall Street Journal reporter who contacted us. Outside of that person's use, our research shows that a total of 48 unlaunched projects were accessed during the three weeks this bug was live (this number includes a number of views by Kickstarter's developers working on the API itself).
Obviously our users' data is incredibly important to us. Even though limited information was made accessible through this bug, it is completely unacceptable.