Thingiverse suffers breach of 228,000 email addresses • The Register
Thingiverse, a site that hosts free-to-use 3D printer designs, has suffered a data breach — and at least 228,000 e-mail addresses of unfortunate users are circulating in black-cap crime forums.
The news of the violation came from Have I Been Pwned (HIBP), whose supporter Troy Hunt uploaded 228,000 violated email addresses on the site after being notified of their distribution in the forums.
Hunt said on Twitter that more than two million addresses had been violated. He described this by saying that the majority are email addresses that appear to have been generated by Thingiverse itself, judging by their format: webdev + $ username @ makerbot[.]s.
The HIBP supporter also claims that some of the data includes badly encrypted passwords: the one he highlighted was an unsalted SHA-1 hash that was allowed next to the “test123” password.
Thingiverse is owned by 3D printing company Makerbot, last seen on these pages in 2015, when it was staff reductions after failing to achieve “ambitious goals”.
Makerbot did not react much to his personal overtures, Hunt said on Twitter, eventually forcing him to go public in the hope of convincing someone that the source of the violation should be closed.
In the meantime, I get a DM from someone who claims @thingiverse “To display a backup file”. I don’t ask for details, so I never checked the statement (but I have good reason to believe this person), and during this process I was later told that “the bucket is set to private now.”
– Troy Hunt (@troyhunt) October 14, 2021
We asked Makerbot of Brooklyn for comment on Hunt’s observations, which extend to a number of tweets that can be read in full by clicking above. The company does not appear to have publicly acknowledged the violation so far.
Detecting violations is sometimes a difficult topic. Earlier this week Reg reports the case to a company that asked a researcher who reveals responsibly not to reconnect with them. In this case, the researcher was trying to warn the company that the Laravel debug page reveals the username and password for the database – quite disturbing, given that Schools Marketing Company Ltd claims to have data on a million teachers and staff. of the school administrator.
Earlier this year, a heavy attempt to disclose information from a technician who had previously worked with an open source organization led to a police call and a threat to sue the Supreme Court, all due to misunderstandings.
Sometimes, however, some companies just don’t want to hear bad news – which makes it even more important to contact them. ®