The Kickstarter breach from February 2014 has resurfaced on BreachForums in a more complete form than was previously available, with about 5.2 million user records distributed in email:SHA1:salt layout.
Kickstarter disclosed the incident within days of the original intrusion. The company told affected users that mailing addresses, phone numbers, and "encrypted passwords" had been accessed, and forced a global password reset. The salts are short and the hash is SHA-1, which is no longer adequate for password storage and was already considered weak when the original incident happened. Anyone with a modern GPU and time can chew through the easier passwords on this list, and many of them will fall in hours rather than weeks.
Why this one matters now
Kickstarter sat at an interesting intersection in 2014. It was popular enough to attract a creative-industry crowd, including indie filmmakers, hardware tinkerers, and small-press writers, but young enough that those same users were often using their personal email addresses paired with whatever password they had been using since college. A surprising amount of the credential pairs that drop out of cracking attempts on this dump match accounts at lower-traffic services that have never had a notable security event of their own.
For users, the meaningful action is identical to every other breach of this vintage. If a password from 2014 is still in rotation, retire it. Use a manager. Turn on two-factor authentication anywhere it is offered. The Kickstarter account itself is almost certainly safe by now, but the linked accounts are not.