What should have been a routine account administration notice early on Monday this week has backfired on eSun. An email from the 3D printing material manufacturer’s webstore team, sent to those with an account with the company, detailed an upgrade to the website and subsequent account migration, advising users to update their password after logging in to secure their accounts.

The problem? Following the site’s update, all user passwords were wiped and reset to use the email address used for the account. The note reads: “In order to ensure the security of your account, we have reset all the login passwords, and the default password after reset is [the] same as your email account.”

To anyone not well-versed in basic web hygiene – this is a no-no. Not only is your password no longer secure to a given standard (assuming eSun implemented a secure password as a minimum requirement before) but the passwords are now predictable. Not that we’re suggesting there was an imminent danger to anyone holding an account with eSun, but aggregated lists of emails do leak from time to time, and those lists often form the basis for large-scale attempts to gain access to accounts.

Additionally, as best we can tell from scanning eSun’s social media presence, the email was the only notification of this password change. The implication of this is that accounts could potentially sit for a long time with a weak and predictable password before the account owner would be any the wiser, increasing the exposure to a potential breach.

While it doesn’t appear that payment information is stored with an account, order histories plus shipping and billing addresses – personally identifiable information – are.

Fortunately, between initial work on this article and publication, eSun appears to have corrected its error, with a comment on Reddit pointing to a subsequent mailing some hours later that backtracked on the password changes, providing users instead with a password reset link and apologizing for the mistake. We haven’t seen this message first-hand but have a copy of the original message notifying users of the change.

So, consider this a flag raised. Update your password if you’ve ever shopped at eSun directly and pass the message along to anyone you know who has in the past.

All3DP contacted eSun for comment but received no reply at the time of publishing this article. We’ll slip an update note below if we hear back.

Stay Informed, Save Big, Make More

Get our bi-weekly newsletter for the latest 3D printing news, deals, and guides.

Enter your email address

Subscribe

Almost there! Click the link in the email we just sent to confirm your subscription.

Please enter a valid email address.

You are already subscribed to this newsletter.

The list to subscribe to does not exist.

An unknown error occurred. Please try again later.

We do not share your information! You can unsubscribe at any time.
By subscribing you agree to our Privacy Policy.

Recent news:

• Revopoint to Launch New MetroX 3D Scanner on Kickstarter
• Penta Machine Company Announces Pocket NC V2-8Lite Desktop CNC Machine
• Is Anycubic Releasing a CoreXY 3D Printer This Year?