There has been a breach at Thingiverse, a website that hosts 3D printer designs we’ve featured many times before here on Hypertext. Unfortunately, how bad this breach is depends on who you ask.
Let’s start with Have I been Pwned creator Troy Hunt who was sent data from Thingiverse by somebody who had seen it on a hacking forum. The data contains over 228 000 unique email address and poorly encrypted passwords according to Hunt’s analysis. That figure doesn’t include two million addresses that appear to have been created by the platform itself such as webdev+[username]@makerbot.com.
However, Thingiverse has seemingly refuted this figure instead stating that, “…the exposure affected a handful (less than 500) of real user data. The non-production, non-sensitive data included encrypted passwords (random salted) with mostly testing data. The affected users have been notified.”
The website said in a statement sent to The Register that the breach was caused by an internal human error that only exposed a, “handful of Thingiverse users”.
For clarification, the exposure affected a handful (less than 500) of real user data. The non-production, non-sensitive data included encrypted passwords (random salted) with mostly testing data. The affected users have been notified.
— Thingiverse (@thingiverse) October 14, 2021
“We have not identified any suspicious attempts to access Thingiverse accounts, and we encouraged the relevant Thingiverse members to update their passwords as a precautionary measure,” reads the statement.
“We apologize for this incident and regret any inconvenience it has caused users. We are committed to protecting our valued stakeholders and assets, through transparency and rigorous security management,” the website added.
Despite this statement, Hunt has questioned whether Thingiverse’s figures are accurate and frankly so do we. Despite not receiving an email from Thingiverse, our email was found during a search of Have I Been Pwned begging the question, if only ~500 accounts were exposed and our email was one of them, why were we not notified by Thingiverse?
What makes this situation more aggravating is the number of hoops Hunt had to jump through just to get in touch with the site.
For anybody who has made use of Thingiverse we urge you to head to Have I Been Pwned to check if your details were exposed and if they were (even if they weren’t) change your password. We’ve experienced a lag in the password reset functionality so we recommend logging into your Thingiverse account and changing it manually from there.
You can read Hunt’s full thread about this matter below.
There's more background to this; it's been a frustrating experience. I use @thingiverse *a lot* to pull down 3D models so this is all particularly close to home for me. https://t.co/quEyDUH8c3
— Troy Hunt (@troyhunt) October 14, 2021
[Image – CC 0 Pixabay]
