Kickstarter API bug allowed 70,000 unpublished projects to be visible by public

Programming bugs almost always make their way into production code through some inadvertent way. This time it is Kickstarter who has found a flaw in some of its code. This bug allowed access to 70,000 unpublished projects' project description, goal, duration, rewards, video, image, location, category, and user name.

On the Kickstarter Blog, they have made it abundantly clear that no financial data was ever publicly visible. Of the 70,000 "visible" projects, only 48 were viewed, and that includes views by the Kickstarter team trying to verify and patch the bug. The bug had been introduced into the code with the April 24 homepage redesign.

The bug was introduced when we launched the API in conjunction with our new homepage on April 24, and was live until it was discovered and fixed on Friday, May 11, at 1:42pm. The bug made accessible the project description, goal, duration, rewards, video, image, location, category, and user name for unlaunched projects. No account or financial data was made accessible.

Based on our research, the overwhelming majority of the private API access was by a computer programmer/Wall Street Journal reporter who contacted us. Outside of that person's use, our research shows that a total of 48 unlaunched projects were accessed during the three weeks this bug was live (this number includes a number of views by Kickstarter's developers working on the API itself).