On February 12, 2014, Kickstarter was notified by law enforcement that its database had been accessed by unauthorized attackers via a SQL injection vulnerability. Kickstarter disclosed the breach to its users on February 15, 2014. The compromised data included usernames, email addresses, mailing addresses, phone numbers, and encrypted passwords. Kickstarter used bcrypt for most passwords but older accounts had SHA-1 hashed passwords without salting. Kickstarter stated that no credit card data was compromised (payment processing was handled by third parties outside the compromised database). The company did not disclose the exact number of accounts affected. Two Kickstarter accounts were found to have been accessed using stolen credentials, and Kickstarter immediately reset those accounts. The company required all users to create new passwords on their next login. Kickstarter’s relatively quick disclosure (within days of receiving law enforcement notification) and its use of bcrypt for password hashing were noted as positive security practices, in contrast to many contemporaneous breaches. The incident prompted Kickstarter to implement additional security measures including two-factor authentication options.