3D printing site Thingiverse suffers major user data breach

News
By Mayank Sharma
published

Disclosure is stuck due to lethargic response from Thingiverse, says researcher

Data Breach
(Image credit: Shutterstock)

About 228,000 users of popular 3D printing platform Thingiverse have reportedly had their authentication details stolen and published on the dark web.

The news of the leak doesn’t come from Thingiverse itself, but rather from Have I Been Pwned (HIBP), which got hold of the leaked details of the compromised accounts after receiving a tip last week.

“Thingiverse had 228k unique email addresses exposed in an Oct 2020 DB backup found circulating last week. Data included usernames, IPs, DoBs and unsalted SHA-1 or bcrypt password hashes,” tweeted HIPB.

TechRadar needs yo...

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.

>> <a href="https://project.tolunastart.com/tqsruntime/main?surveyData=LFFFsT0HpgsyUe0tTFumBJohXK8Sedt0ARpsCF4DRGR+oCoVbvd+2+d8+UNIIx4L" data-link-merchant="project.tolunastart.com"" target="_blank">Click here to start the survey in a new window <<

HIPB’s creator and maintainer Troy Hunt added that the data has been circulating “extensively” on a popular hacking forum.

Disclosure notice

As if the leak wasn’t bad enough, Hunt says he’s had a frustrating experience getting Thingiverse’s attention.

Hunt claims he tried reaching out to the company via its contact form and also sent a direct message on Twitter, but was forced to tweet the firm in public after failing to hear from the Thingiverse for three days.

By this method, Hunt was able to establish a line of communication with Thingiverse. However, so far he has been unable to secure a disclosure notice from the platform, which he needs in order to bring the leak to the attention of his impacted subscribers.

“228k is also just the unique *real email addresses*; on top of that are well over 2M addresses in the form of webdev+[username] @makerbot.com, alongside password hashes. The highest ID in the users table 2,857,418 so the scope is much bigger,” explained Hunt.

Internal human error

In response to TechRadar Pro’s email seeking comment on the leak, Bennie Sham, PR Manager of Thingiverse’s parent company MakerBot, played down the incident and told us that it was "an internal human error that led to the exposure of some non-sensitive user data for a handful of Thingiverse users.”

While Sham didn’t comment on Hunt’s frustrating dealings with the platform regarding the exposure, she stressed that the affected Thingiverse users have been asked to update their passwords, even though there haven’t been any suspicious attempts to access Thingiverse accounts.

“We apologize for this incident and regret any inconvenience it has caused users. We are committed to protecting our valued stakeholders and assets, through transparency and rigorous security management,” said Sham.

Mayank Sharma
Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.