3D printing site Thingiverse suffers major user data breach
Date:
Fri, 15 Oct 2021 09:36:22 +0000
Description:
Credentials of several hundred thousand Thingiverse users have been found circulating on hacker forums.
FULL STORY ======================================================================
About 228,000 users of popular 3D printing platform Thingiverse have reportedly had their authentication details stolen and published on the dark web.
The news of the leak doesnt come from Thingiverse itself, but rather from
Have I Been Pwned (HIBP) , which got hold of the leaked details of the compromised accounts after receiving a tip last week.
Thingiverse had 228k unique email addresses exposed in an Oct 2020 DB backup found circulating last week. Data included usernames, IPs, DoBs and unsalted SHA-1 or bcrypt password hashes, tweeted HIPB. TechRadar needs you!
We're looking at how our readers use VPNs with streaming sites like Netflix
so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.
Click here to start the survey in a new window << Shield yourself with these best identity theft protection services We've put together a list of
the best endpoint protection software Check our list of the best firewall
apps and services
HIPBs creator and maintainer Troy Hunt added that the data has been circulating extensively on a popular hacking forum. Disclosure notice
As if the leak wasnt bad enough, Hunt says hes had a frustrating experience getting Thingiverses attention.
Hunt claims he tried reaching out to the company via its contact form and also sent a direct message on Twitter, but was forced to tweet the firm in public after failing to hear from the Thingiverse for three days.
By this method, Hunt was able to establish a line of communication with Thingiverse. However, so far he has been unable to secure a disclosure notice from the platform, which he needs in order to bring the leak to the attention of his impacted subscribers.
228k is also just the unique *real email addresses*; on top of that are well over 2M addresses in the form of webdev+[username] @makerbot.com, alongside password hashes. The highest ID in the users table 2,857,418 so the scope is much bigger, explained Hunt . Internal human error
In response to TechRadar Pro s email seeking comment on the leak, Bennie
Sham, PR Manager of Thingiverses parent company MakerBot, played down the incident and told us that it was "an internal human error that led to the exposure of some non-sensitive user data for a handful of Thingiverse users.
While Sham didnt comment on Hunts frustrating dealings with the platform regarding the exposure, she stressed that the affected Thingiverse users have been asked to update their passwords, even though there havent been any suspicious attempts to access Thingiverse accounts.
We apologize for this incident and regret any inconvenience it has caused users. We are committed to protecting our valued stakeholders and assets, through transparency and rigorous security management, said Sham. Protect
your devices with these best antivirus software
======================================================================
Link to news story:
https://www.techradar.com/news/3d-printing-site-thingiverse-hit-by-major-user- data-breach/
--- Mystic BBS v1.12 A47 (Linux/64)
* Origin: tqwNet Technology News (1337:1/100)