Thingiverse begrudgingly admits massive data breach

At least 228,000 unique user emails, potentially along with other information such as names, IP addresses, passwords, and even physical addresses, were exposed in a massive data breach of the popular 3D-printing hub, Thingiverse. Hackers culled the info roughly a year ago from a database backup of the website, but the service has only recently (not to mention begrudgingly) confirmed the issue to security expert Troy Hunt, founder of Have I Been Pwned?, who detailed his uphill battle discussing the matter with Thingiverse officials yesterday via Twitter.

“Thingiverse had 228k unique email addresses exposed in an Oct 2020 DB backup found circulating last week. Data included usernames, IPs, DoBs and unsalted SHA-1 or bcrypt password hashes,” Hunt explained, later adding it has taken more than six days for Thingiverse to move on the issue.

Many, many more possibly affected — Hunt also made clear that, while nearly 230,000 unique emails are part of the data cache, the actual pool of affected Thingiverse users could be much higher. “228k is also just the unique *real email addresses*; on top of that are well over 2M addresses in the form of webdev+[username] @makerbot.com, alongside password hashes. The highest ID in the users table 2,857,418 so the scope is much bigger,” explained Hunt.

Thingiverse swears all is well — Thingiverse, for its part, appears to be doing all it can to assure everyone that the breach isn’t all that big of a deal... which is certainly one strategy for damage control. “We are aware of and have addressed an internal error that led to the exposure of some non-sensitive user data on Thingiverse,” the site’s official Twitter account posted yesterday, later claiming that, in fact, the hack only really concerns around 500 users.

Meanwhile, PR reps allege that the information which was leaked is largely inconsequential, telling Tech Radar “an internal human error that led to the exposure of some non-sensitive user data for a handful of Thingiverse users.” Hunt, for his part, has cast aspersions on that number and is unsure exactly where the “500” comes from. This may not be the last we hear about this.