A 32 GB Thingiverse data breach has affected 228,000 accounts, sources say, revealing user data such as names, dates of birth, physical addresses, IP addresses, and random salted (encrypted) passwords. Time to change those login details, folks.

Data breach outlets are reporting the breach to be the result of a publicly accessible MySQL backup from October 2020, uncovered on October 1, 2021 by Twitter user “pompompurin” who claimed a third-party reviewed the data and reached out to Thingiverse and MakerBot before releasing the data on a popular hacking forum.

Just today, Thigiverse took to Twitter to address the breach claiming that less than 500 users were affected and with non-sensitive data. The affected users were notified, the repository said.

Advertisement
Advertisement

However, a quick look at the thread suggests that’s not the case. Many users who received no such notification are confirming they were part of the hack — according to Troy Hunt’s data breach assessment website haveibeenpwned.com. Users are saying they’re frustrated Thingiverse and MakerBot failed to not only protect this data in the first place, but also at the repository and parent company’s lack of remediation, and downplaying of the incident.

This isn’t the first time Thingiverse has proven to be a vulnerable website. In early 2018 it was revealed that some users were unwittingly mining cryptocurrency via embedded code in model comment sections while browsing the repository.

Given the website’s poor response to this second attack, many 3D printing influencers are mounting calls to leave Thingiverse. Some users are deleting their accounts and digital artists are migrating their work to other repositories.

For now, it’s advised that affected users change their Thingiverse passwords and if that password was used on any other online service to change it there also. Whether this latest breach shakes the website’s standing as the go-to 3D printing repository remains to be seen.

Advertisement
Advertisement
Advertisement