Online fundraising site Kickstarter says hackers got some of its customer data.

Kickstarter co-founder Yancey Strickler said in a blog post that hackers accessed usernames, email addresses, phone numbers and passwords. The passwords are encrypted, but the company said it’s possible for a hacker to guess a weak or obvious password. It recommended that users change their passwords.

“While no credit card data was accessed, some information about our customers was,” Strickler wrote. “Accessed information included usernames, email addresses, mailing addresses, phone numbers, and encrypted passwords. Actual passwords were not revealed, however it is possible for a malicious person with enough computing power to guess and crack an encrypted password, particularly a weak or obvious one.”

On Sunday night, Kickstarter posted an update, noting thousands of inquiries from users.

“Over the past 24 hours, the Kickstarter team has responded to more than 5,000 inquiries about yesterday’s news. We’re still standing by to help. If you have questions, comments, or concerns, feel free to contact us at accountsecurity@kickstarter.com. Thanks!”

Hackers did not get credit card information, said New York-based Kickstarter, but two accounts saw unauthorized activity.

Kickstarter is one of dozens of crowdfunding websites that let people raise money from donors for projects. Kickstarter campaigns have included Zach Braff and Spike Lee movies, a local brewery, arts projects and business startups.

The breach was disclosed Saturday on the Kickstarter blog. The company said it learned about the breach from law enforcement on Wednesday and closed it immediately.

“We’re incredibly sorry that this happened,” Strickler wrote. “We set a very high bar for how we serve our community, and this incident is frustrating and upsetting. We have since improved our security procedures and systems in numerous ways.”

Strickler added that the company is “working closely with law enforcement.”

Kickstarter was founded five years ago and has collected $982 million for more than 56,000 projects, according to its website. It says it has collected pledges from more than 5.6 million people.

The breach comes after discount retailer Target Corp. said it believes hackers infiltrated the computers of one of its vendors, and installed malicious software in Target’s checkout system for its 1,800 U.S. stores. Experts believe the thieves gained access during the busy holiday season to about 40 million credit and debit card numbers. They also got the personal information — including names, email addresses, phone numbers and home addresses — of as many as 70 million customers.

FAQ

On Saturday, Kickstarter published an FAQ about the situation and security:

  • How were passwords encrypted?

Older passwords were uniquely salted and digested with SHA-1 multiple times. More recent passwords are hashed with bcrypt.

  • Does Kickstarter store credit card data?

Kickstarter does not store full credit card numbers. For pledges to projects outside of the US, we store the last four digits and expiration dates for credit cards. None of this data was in any way accessed.

  • If Kickstarter was notified Wednesday night, why were people notified on Saturday?

We immediately closed the breach and notified everyone as soon we had thoroughly investigated the situation.

  • Will Kickstarter work with the two people whose accounts were compromised?

Yes. We have reached out to them and have secured their accounts.

  • I use Facebook to log in to Kickstarter. Is my login compromised?

No. As a precaution we reset all Facebook login credentials. Facebook users can simply reconnect when they come to Kickstarter.