Major hack at Thingiverse results in data leak of 228,000 users
3D Printing Industry has stated that the personal data of 228,000 Thingiverse users has been circling online amongst the hacking community for one year. The breach, which originally occurred in October 2020, resulted in a leak of 36 GB of data cache supposedly comprising of identifiable user information. Thingiverse is an open website where anyone can post 3D models for 3D printing.
Troy Hunt, creator of the ‘Have I Been Pwned’ website, was notified of the data leak on a hacking forum on October 1, 2021. Afterwards, Hunt relayed the information about the data hack to cybersecurity intelligence firm, Information Security Media Group (ISMG). Moreover, Hunt informed ISMG that the data cache contained the emails, IP addresses, locations, usernames and actual names of subscribers. Furthermore, Hunt alleged that the data cache was derived from a compromised Thingiverse backup that was apparently kept public.
3D Printing Industry also reported that Thingiverse was hacked in December 2017 due to the openness of the website. Consequently, users of the site were susceptible to cryptomining hacks. However, MakerBot, founder of Thingiverse, assured users that the flaw had been resolved at that time.
Similarly, Hunt and others blamed the open nature of Thingiverse for the recent data breach and have criticized MakerBot for not publicly acknowledging the hack during the past year. On October 14, 2021, 3D Printing Industry reported that MakerBot finally released a public statement to apologise for the data leak incident. MakerBot has claimed that the user data was non-sensitive and leaked due to human error and also recommended relevant users of the website to change their passwords as a precaution.