In simple English: An "unsalted password hash" is practically the same as "your plain-text password". "Decrypting" an unsalted hash is trivial. So Thingiverse leaked your password (and email) and if you've used that somewhere else, too, consider that account breached as well.
"unsalted [...] password hashes" ... I have no words. Change your passwords NOW.
Show this thread
16
57
8
207
The tweet says unsalted SHA-1 *or* bcrypt (which is fine). They were likely in a transition between the two and never finished it or did it correctly. Unfortunately, unless Makerbot provides more info you need to assume you’re in the first category, especially for long time users
1
0
0
7
Replying to @jtdowney @toms3dp
This is correct. Users which had old-style SHA-1 hashes were updated to bcrypt hashes next time they signed in. This change was made starting in around 2016.

5:23 PM · Oct 14, 2021

0
0
1
7