A significant data breach has recently come to light, affecting approximately 228,000 users of Thingiverse, a well-known platform for sharing user-generated digital design files. Troy Hunt, the creator of the breach notification service Have I Been Pwned, has confirmed that a leaked 36GB backup file containing sensitive information has been circulated on a popular hacking forum.
According to Hunt's analysis, the data breach consists of a MySQL database that boasts an alarming volume of over 255 million data entries. "The earliest date stamps in the data set appear to go back about a decade," Hunt stated, adding context to the extensive timeframe of data capture.
"The earliest date stamps in the data set appear to go back about a decade,"
The leaked data is not limited to just 3D models that are publicly accessible. It also encompasses critical personal information including email addresses, usernames, physical addresses, and full names. In a detailed breakdown, Hunt commented, "There is data on the 3D models that are publicly accessible, but there are also email and IP addresses, usernames, physical addresses and full names."
Most of the exposed email addresses follow a particular format, appearing as webdev+[username]@makerbot.com, and the reason behind this unusual structure remains unclear. Hunt provided an example of the compromised data, revealing elements such as bcrypt password hashes and users' birthdates, which further underscores the breach's seriousness. “I haven’t found passwords at this time,” he reassured, noting that plain text passwords do not seem to be part of the leak.
The unsettling reality is that this public leak occurred on October 13, 2020, and has reportedly remained unsecured since then. Hunt remarked on the potential risks involved, emphasizing that while users might feel somewhat relieved by the absence of plain text password exposure, their other sensitive data is still at risk.
In attempts to gain clarity, both Hunt and Information Security Media Group (ISMG) reached out multiple times to MakerBot, the parent company of Thingiverse, but their inquiries went unanswered. Hunt even took to Twitter to ask, "Anyone got a security contact at @thingiverse? They’re not replying to DMs or threats." This lack of response from the company raises concerns about their commitment to user security in light of such a significant data breach.
Thingiverse's role as a major platform for 3D printing enthusiasts and creatives could make this breach even more damaging, as it compromises the trust of its user base, many of whom share valuable and creative designs under licenses such as the GNU General Public License or Creative Commons licenses. The importance of maintaining user security on such platforms cannot be overstated, and incidents like this highlight the critical need for robust data protection measures.
Going forward, users are urged to remain vigilant, especially when it comes to safeguarding their personal information. They should consider changing their passwords and monitoring their accounts for any unusual activity. The implications of this breach may extend beyond just the immediate scope, as it raises awareness about broader security practices within online platforms that handle user data. The call for better security protocols and responsive communication from companies like MakerBot has never been more pronounced.
