A WSJ reporter was apparently able to download "nearly 77,000 of Kickstarter's most recent projects and drafts, dating back to mid-March, before Kickstarter plugged the security hole around 1:40pm Eastern on Friday [May 11]."
Kickstarter cofounder Yancey Strickler admitted to the security snafu in a May 13 blog post, explaining that the bug was rolled out when the site launched its API (the application programming interface through which software shares its data) and was live until its discovery and patch on May 11. In those few weeks, the bug exposed "the project description, goal, duration, rewards, video, image, location, category, and user name for unlaunched projects," wrote Strickler.
"No account or financial data was made accessible," Strickler also said in the blog post.
As Mashable points out, Kickstarter believes that only 48 projects were accessed beyond those that The Wall Street Journal was able to collect; however, Strickler made sure to emphasize the importance of Kickstarter user data to the company, writing,
Obviously our users' data is incredibly important to us. Even though limited information was made accessible through this bug, it is completely unacceptable. We want to underline once again that zero account or financial information was at any time made accessible by this bug.