"For those who are unfamiliar, an API is a software interface that allows software to communicate with one another. It's not like a webpage that an internet user could point their browser to. It is a feed of data meant to be shared between software. The API in this instance is for Kickstarter's internal use," explains Yancey Strickler, one of the site's cofounders.
The bug was the result of a site upgrade effected on April 24, but was fixed only on May 11, after Kickstarter's engineers were notified of it by a WSJ reporter who discovered it.
Among the details that were accessible are project descriptions, goals, duration, rewards, videos, images, location, category, and the user name.
Less than 50 unlaunched projects were accessed during the three weeks the bug was present, and that includes views by Kickstarter's own team of developers.
Strickler made sure to point out that no financial or account information was accessible at any time, but he still described the incident as "unacceptable."
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.