Skip to main content

Thingiverse Leak Sees 36GB of User Data in the Hands of Hackers (Updated)

A tap diverter from Thingiverse
(Image credit: Thingiverse/Digitalpaul)

Update 10/15/2021 07:42 PT

Since this story was published we have received the following statement from Bennie Sham, Makerbot's PR Manager:

"We became aware of and have addressed an internal human error that led to the exposure of some non-sensitive user data for a handful of Thingiverse users. We have not identified any suspicious attempts to access Thingiverse accounts, and we encouraged the relevant Thingiverse members to update their passwords as a precautionary measure. We apologize for this incident and regret any inconvenience it has caused users. We are committed to protecting our valued stakeholders and assets, through transparent change and rigorous security management. 

"For clarification, the exposure affected a handful (less than 500) of real user data. The non-production, non-sensitive data included encrypted passwords (random salted) with mostly testing data. The affected users have been notified."

Original article follows.

Thingiverse, the site for community sharing of 3D printing templates and other digital design files, has been the victim of an unfortunate data leak, with 36GB of unique email addresses and ‘other personally identifiable information’ appearing on a popular hacking forum. The leak was confirmed by Have I Been Pwned creator Troy Hunt in a statement to Information Security Media Group.

(Image credit: haveibeenpwned.com)

The leaked backup file appears to contain a MySQL database with more than 255 million lines of data, according to Hunt. Within, is “data on the 3D models that are publicly accessible, but there are also email and IP addresses, usernames, physical addresses and full names". Date stamps appear to go back at least a decade.

While there's no sign that plain text passwords have been leaked, Have I Been Pwned tweeted about the presence of “unsalted SHA-1 or bcrypt password hashes” in the data. Salt is random data added to the hashing process (a one-way transformation) to increase complexity. While hashed passwords are still unreadable without considerable effort, they’re easier to decrypt without the presence of salt.

The breach was first discovered on October 1st by Twitter user pompompurin, as a result of a "misconfigured S3 bucket" from Thingiverse's backup data. 

Thingiverse's owner, MakerBot, has been made aware of the incident but, at the time of writing, is yet to issue a statement. Now would be a really good time to change your Thingiverse password, along with the passwords for any other sites you may have inadvertently reused the same credentials for. 

  • USAFRet
    I am a frequent user of Thingiverse, but never made an account there.

    Daily, we are reminded to be careful with all of our account data.
    2FA, don't use the same passwords, blah blah...

    But the holders of that info are far more careless.
    Mercedes, Yahoo, OPM, Equifax....

    My data has been leaked so many times, that if I were able to run all the free credit reporting consecutively...I'd be dead before I got to the end.

    My info has been leaked, and NOT by anything I did or failed to do.
    Reply