Crowdfunding website Kickstarter sparked overnight fears of a possible security incident after the company sent unsolicited password reset emails to millions of users without prior explanation.
The emails, seen by TechCrunch, tell users that Kickstarter is “simplifying its login process” and urges users to “set a new password for your Kickstarter account.” The emails offer no further explanation as to why Kickstarter is asking users to reset their credentials, and there’s no mention of a mass password reset on Kickstarter’s website or social channels.
When reached Wednesday, Kickstarter spokeswoman Kate Bernick told TechCrunch that the company had not been breached. Rather, it was “encouraging users to create a password if they haven’t already set one,” such as those who created an account using only their Facebook login.
Bernick said 10 percent of users, or about five million accounts, received password reset emails. Kickstarter currently has 50 million users, the spokesperson confirmed.
Several Kickstarter users speculated that the password reset emails themselves, while legitimate, were an attempt by attackers to steal their passwords. After all, it’s long been considered a cybersecurity best practice to avoid asking people to click on password-related links in unsolicited emails, given that it could be a sign that an account has been compromised , and is a common tactic used in phishing attacks.
Data breach or not, perhaps the feedback Kickstarter received after sending these emails — including cyber-savvy users pledging not to click on the “suspicious-looking” emails — will see Kickstarter and others rethink this strategy in the future.