In mid-October, we reported that Thingiverse – the largest library with free 3D printing models, had a large user data leak. The popular hacking forum shared 228,000 unique data such as e-mail addresses, passwords, usernames, IP addresses, and in some cases also physical addresses of computers. Nearly two months after that event, the owner of the platform – MakerBot, finally issued an official statement on this matte …
After an internal investigation, it was found that the data was released on October 16, 2020 as a result of an unspecified “human error”. MakerBot did not discover this (specifically – “was informed”) one year later – October 12, 2021. No suspicious attempts to access Thingiverse accounts or use exposed tokens were identified, and the platform itself was not attacked or damaged.
The leak was limited to the data of users who created accounts on Thingiverse in 2010-2018 and included such data as: username, Twitter data, hashed passwords, e-mail addresses, e-mail addresses associated with PayPal accounts (which were used to send voluntary tips to Thingiverse users for their projects), phone numbers, IP addresses, reported physical addresses of computers, direct messages sent between users, unpublished 3D designs and tokens.
MakerBot ensures that it has taken appropriate steps to prevent this type of situation in the future:
- the source of the leak was found, an internal bug that made it possible was fixed, and public access to disclosed data was removed
- access to all hacked tokens was blocked
- the passwords of users whose e-mail addresses were disclosed were identified and reset.