A backup file from the Thingiverse 3D printing platform has been around on the Internet for almost exactly a year. In the 36 gigabyte file are around 228,000 email addresses and other personal data, including weakly encrypted passwords, according to a report by Data Breach Today.
The leak was made public by Troy Hunt, who worked on his password checking service HaveIBeenPwned now offers the option of check your own Thingiverse credentials. The file was already published on October 13, 2020 in the hacker forum RaidForums and has been available since then. In addition to data on 3D models, according to his analysis, user names, e-mail and IP addresses and physical addresses can be found in the data leak.
Passwords are also affected
Passwords are only included in encrypted form – however unsalted and encrypted using the bcrypt and SHA-1 algorithms, which are considered insecure. Gina Häußge, maintainer of the 3D printer software Octoprint3D, therefore advises you to change your password immediately and delivered Instructions on how to do this can also be found on Twitter.
From the operator of the platform, 3D printer manufacturer Makerbot, there are so far no public comment, so Data Breach Today. Meanwhile, the Thingiverse account is causing further confusion on Twitter. A first tweet advised to update the password and apologized for the “inconvenience”. The users concerned have already been informed and the internal error that led to the leak of the “non-sensitive” data has already been addressed. One later clarification as a result, however, this only related to another, smaller leak.