About 228,000 users of popular 3D printing (opens in new tab) platform Thingiverse have reportedly had their authentication details stolen and published on the dark web.
The news of the leak doesn’t come from Thingiverse itself, but rather from Have I Been Pwned (HIBP) (opens in new tab), which got hold of the leaked details of the compromised accounts after receiving a tip last week.
“Thingiverse had 228k unique email addresses exposed in an Oct 2020 DB backup found circulating last week. Data included usernames, IPs, DoBs and unsalted SHA-1 or bcrypt password hashes,” tweeted (opens in new tab) HIPB.
We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.
>> Click here to start the survey in a new window (opens in new tab) <<
- Shield yourself with these best identity theft protection services (opens in new tab)
- We've put together a list of the best endpoint protection (opens in new tab) software
- Check our list of the best firewall apps and services (opens in new tab)
HIPB’s creator and maintainer Troy Hunt added (opens in new tab) that the data has been circulating “extensively” on a popular hacking forum.
As if the leak wasn’t bad enough, Hunt says he’s had a frustrating experience getting Thingiverse’s attention.
Hunt claims (opens in new tab) he tried reaching out to the company via its contact form and also sent a direct message on Twitter, but was forced to tweet (opens in new tab) the firm in public after failing to hear from the Thingiverse for three days.
By this method, Hunt was able to establish a line of communication with Thingiverse. However, so far he has been unable to secure a disclosure notice from the platform, which he needs in order to bring the leak to the attention of his impacted subscribers.
“228k is also just the unique *real email addresses*; on top of that are well over 2M addresses in the form of webdev+[username] @makerbot.com, alongside password hashes. The highest ID in the users table 2,857,418 so the scope is much bigger,” explained Hunt (opens in new tab).
Internal human error
In response to TechRadar Pro’s email seeking comment on the leak, Bennie Sham, PR Manager of Thingiverse’s parent company MakerBot, played down the incident and told us that it was "an internal human error that led to the exposure of some non-sensitive user data for a handful of Thingiverse users.”
While Sham didn’t comment on Hunt’s frustrating dealings with the platform regarding the exposure, she stressed that the affected Thingiverse users have been asked to update their passwords, even though there haven’t been any suspicious attempts to access Thingiverse accounts.
“We apologize for this incident and regret any inconvenience it has caused users. We are committed to protecting our valued stakeholders and assets, through transparency and rigorous security management,” said Sham.
- Protect your devices with these best antivirus (opens in new tab) software