Thingiverse, a website for the community to share 3D printing templates and other digital design files, has become the victim of an unfortunate data breach. A 36GB unique email address and “other personally identifiable information” appeared on a popular hacker forum.The leak is confirmed Am i stolen Creator Troy Hunt in a statement Information Security Media Group.
According to Hunter, the leaked backup file appears to contain a MySQL database containing more than 255 million rows of data. This includes “publicly accessible 3D model data, but also email and IP addresses, user names, physical addresses, and full names.” The date stamp seems to go back at least ten years ago.
Although there is no indication that the plain text password has been leaked, Have I been tweeted by Pwned Regarding the existence of “unsalted SHA-1 or bcrypt password hash” in the data. Salt is random data that is added to the hashing process (a one-way transformation) to increase complexity. Although the hashed password is still unreadable without effort, it is easier to decrypt without salt.
The vulnerability was first discovered by a Twitter user on October 1st Villin, Due to “S3 bucket configuration error” in Thingiverse backup data.
MakerBot, the owner of Thingiverse, has been aware of the incident, but has not issued a statement at the time of writing. Now is a good time to change your Thingiverse password and the passwords of any other sites where you may inadvertently reuse the same credentials.