Kickstarter lapse leaves 70,000 project ideas exposed

Company acknowledges screw-up, claims impact was minimal

kickstarter

Crowd-funding website Kickstarter is taking a kick in the public-relations pants today after a revelation by the Wall Street Journal that roughly 70,000 yet-to-be-launched project ideas had been left exposed for more than two weeks.

From the Journal story: "The information that could be seen didn't include credit-card numbers or other sensitive personal details, but it could make users more wary of Kickstarter's data practices and lower their expectations of privacy on the site."

(9 interesting tech projects from Kickstarter)

Founded in 2009, Kickstarter gives anyone with an idea - be it for a startup, gadget, video game, or whatever - a platform to seek small investments from family, friends and anyone else who finds the endeavor worth backing.  The company was subject of a glowing profile in the New York Times last month.

In its own blog post, Kickstarter acknowledged the privacy lapse, accepted responsibility and attempted to downplay its significance.

On Friday one of our engineers uncovered a bug involving Kickstarter's private API, which is used to display projects on the Kickstarter homepage. This bug allowed some data from unlaunched projects to be made accessible via the API. It was immediately fixed upon discovering the error. No account or financial data of any kind was made accessible.

The bug was introduced when we launched the API in conjunction with our new homepage on April 24, and was live until it was discovered and fixed on Friday, May 11, at 1:42pm. The bug made accessible the project description, goal, duration, rewards, video, image, location, category, and user name for unlaunched projects.

Based on our research, the overwhelming majority of the private API access was by a computer programmer/Wall Street Journal reporter who contacted us. Outside of that person's use, our research shows that a total of 48 unlaunched projects were accessed during the three weeks this bug was live (this number includes a number of views by Kickstarter's developers working on the API itself).

Obviously our users' data is incredibly important to us. Even though limited information was made accessible through this bug, it is completely unacceptable.

Not everyone found the privacy lapse newsworthy, with one commenter on Twitter offering: "WSJ attempts smearjob on Kickstarter, painting it as somehow not secure because API allowed them to view projects that weren't yet live."

The messenger takes another one.

(Update: Presumably a coincidence, today's xkcd is about Kickstarter.)

Welcome regulars and passersby. Here are a few more recent buzzblog items. And, if you’d like to receive Buzzblog via e-mail newsletter, here’s where to sign up. You can follow me on Twitter here and on Google+ here.

Join the discussion
Be the first to comment on this article. Our Commenting Policies