There's more background to this; it's been a frustrating experience. I use @thingiverse *a lot* to pull down 3D models so this is all particularly close to home for me.
New breach: Thingiverse had 228k unique email addresses exposed in an Oct 2020 DB backup found circulating last week. Data included usernames, IPs, DoBs and unsalted SHA-1 or bcrypt password hashes. 83% of addresses were already in @haveibeenpwned. More: databreachtoday.com/thingive…

10:16 AM · Oct 14, 2021

18
97
19
387
This began with someone sending me @thingiverse data last week. It was released on a popular hacking forum around the same time where it circulated *extensively*. Lots of people already had this data and plenty of them have nefarious intent.
1
1
0
67
I contacted @thingiverse Saturday morning my time both via their contact form and Twitter DM. Nothing back. Nada. 3 days later and without response, I reach out publicly:
Anyone got a security contact at @thingiverse? They’re not replying to DMs or their contact form. I use this site a lot myself so I’d *really* like to get in touch with someone there.
2
2
2
78
Within hours, someone from @makerbot contacts me. I send them a link to the hacking forum 30 mins later and offer to provide the data I'd been sent, mentioning that "I believe it’s highly likely the breach is legitimate".
1
0
0
65
Early Wednesday and they're "looking into this". Couple of hours later and I ask for a disclosure notice so I can point impacted @haveibeenpwned subscribers to it. No reply, so 24 hours later I advise I'm notifying my subscribers "in the coming hours", how about that disclosure?
1
0
0
76
"We are taking this matter very seriously", and they expect to issue a notice "in due course". No timelines. This is now 6 days after it's clear the data is in the wrong hands and being redistributed. Email addresses, names, IPs, a bunch of physical addresses. Passwords.
1
1
0
87
Meanwhile, I get a DM from someone who alleges @thingiverse "have a backup file exposed". I don't ask details, so I never verified the claim (but I have strong reasons to believe this person), and during this process they later told me that "the bucket is set to private now".
1
0
0
69
The frustration is simply this: what do I do? I've now got 4M+ @haveibeenpwned subscribers I made a commitment to notify if I find their data circulating. I don't tell them, I let them down. I tell them too early, I put the impacted company in an awkward position.
3
2
1
96
We're talking email addresses, usernames and passwords which in same cases, are simply stored as unsalted SHA-1 hashes. For example, 7288edd0fc3ffcbe93a0cf06e3568e28521687bc is present which is simply "test123". This is account takeover stuff for *other* services as well.
1
1
0
82
228k is also just the unique *real email addresses*; on top of that are well over 2M addresses in the form of webdev+[username]@makerbot.com, alongside password hashes. The highest ID in the users table 2,857,418 so the scope is much bigger than the pwn count in @haveibeenpwned.
2
0
1
74
All the time I spend chasing an org to firstly get in touch with them, then provide them the data then push them to disclose properly is time I'm not spending processing the troves of other undisclosed breaches! So more of it goes unreported, and victims suffer.
2
0
0
103
This isn't just a @thingiverse / @makerbot issue, they're just the most recent in a long history of painful disclosures that sap me of time for trying to do the right thing, whilst those doing the wrong thing get extended lead time to exploit victims as a result. This sucks.
14
9
1
172
From the friend that got me into 3D printing in the first place. Every breach has a silver lining 🙂
2
0
0
71
This happens over and over again in data breaches. If you're migrating from [bad hashing algo] to [good hashing algo], hash the bad hashes with the good algo *right now*, don't wait for everyone to login and just prolong the risk
Replying to @jtdowney @toms3dp
This is correct. Users which had old-style SHA-1 hashes were updated to bcrypt hashes next time they signed in. This change was made starting in around 2016.
4
24
2
124
Official statement from @makerbot on the @thingiverse data breach:
6
1
0
37
Statement from @thingiverse below. 2 questions: 1. Have you received a disclosure notice from them? Particularly interested if you got one from @haveibeenpwned. 2. Are passwords sensitive or non-sensitive?
We are aware of and have addressed an internal error that led to the exposure of some non-sensitive user data on Thingiverse. We issued a notice to the affected users, and encourage you to update the password of your Thingiverse account. We apologize for this inconvenience.
25
1
0
59
I sent emails to 10,646 individual @haveibeenpwned subscribers and a further 1,028 to subscribers monitoring domains. So far, I’ve had zero responses saying they weren’t @thingiverse users and plenty of confirmations that they were. It’s unclear where “less than 500” came from.
For clarification, the exposure affected a handful (less than 500) of real user data. The non-production, non-sensitive data included encrypted passwords (random salted) with mostly testing data. The affected users have been notified.
5
13
1
79
People without email addresses have still had usernames (which are frequently personally identifying) and passwords exposed. Matching a password like @nixgeek’s randomly generated one from @1Password doesn’t happen by accident…
This tweet is unavailable
1
4
0
47
I don’t think @rhematt was within @thingiverse’s “less than 500” 🤔
Replying to @troyhunt
Haven't received a disclosure from @thingiverse. Was notified by your @haveibeenpwned this morning. Password wasn't that sensitive as I use unique passes for every site. Data it gives you access to on the other hand is - PayPal donations etc?
1
0
0
27
Account exists, no disclosure received from @thingiverse
Notified by HIBP, no disclosure notice from Thingiverse. Logged in to reset my password earlier today and was not shown any alerts or anything informing me as such.
6
0
0
37
It’s like there’s an echo in here
The email address I use for Thingiverse shows as included in the breach on HIBP. No notification from Thingiverse.
1
0
1
38
I’m beginning to think they may have missed some folks
4
0
0
32
Maybe it’s just coincidental 🤷‍♂️
Replying to @troyhunt
I was in the breach, I did not receive anything from thingiverse. They either don't understand or don't care about what happened there and the magnitude of it.
2
0
0
31
Some more detailed analysis:
I was curious about this claim so I downloaded the leaked database myself and did some analysis. Here’s what I found 🧵
Show this thread
3
5
0
41
This (if accurate) really needs more air time:
Replying to @tjhorner
Also of note: with this leaked data there is a way to take control of every internet-connected MakerBot printer owned by any user in this leak, with users unable to do anything about it.
Show this thread
1
11
0
30
Some serious commentary on this saga given it’s now 1 week since I first disclosed it to @thingiverse: When a breached organisation doesn’t react promptly, transparently and honestly, they create a vacuum of information. Without answers, people seek them out.
1
0
0
19
Sometimes they’re speculative, sometimes they’re on the money. But what happens is that the general public and the media set the narrative and the breached organisation is judged by the conclusions of other people. They completely lose control of the messaging.
1
1
0
19
There will be lawyers and PR people controlling @thingiverse’s response and frequently, their objectives are counter to what’s in the best interests of those in the breach. They’re interested in damage control; minimising the impact to the company and ultimately, to shareholders.
1
0
0
11
That said, it’s hard to imagine how the outright falsehoods that have come via @thingiverse’s 2 embedded tweets above will do them any favours. I can’t imagine they’re deliberate lies - it’s too easy to disprove them - so is someone giving them wacky technical analysis?
1
0
0
11
And how is it possible that folks sitting around at home with a bit of spare time can analyse the data come up with accurate commentary whilst the organisation that owns it doesn’t seem to know what’s in there? It defies logic.
1
0
0
12