Thingiverse hacked, 228,102 accounts compromised.

Please Login to Comment

Got this notification from Have I Been Pwned.

Breach: Thingiverse

Date of breach: 13 Oct 2020

Number of accounts: 228,102

Compromised data: Dates of birth, Email addresses, IP addresses, Names, Passwords, Physical addresses, Usernames

Description: In October 2021, a database backup taken from the 3D model sharing service Thingiverse began extensively circulating within the hacking community. Dating back to October 2020, the 36GB file contained 228 thousand unique email addresses, mostly alongside comments left on 3D models. The data also included usernames, IP addresses, full names and passwords stored as either unsalted SHA-1 or bcrypt hashes. In some cases, physical addresses was also exposed. Thingiverse's owner, MakerBot, is aware of the incident but at the time of writing, is yet to issue a disclosure statement. The data was provided to HIBP by dehashed.com.

Sucks that makerbot is STILL silent about the leak.

There was this, last Thursday:
“We became aware of and have addressed an internal human error that led to the exposure of some non-sensitive user data for a handful of Thingverse users. We have not identified any suspicious attempts to access Thingiverse accounts, and we encouraged the relevant Thingiverse members to update their passwords as a precautionary measure. We apologize for this incident and regret any inconvenience it has caused users. We are committed to protecting our valued stakeholders and assets, through transparency and rigorous security management.”

"..a handful of Thingverse users..." "... we encouraged the relevant Thingiverse members to update their passwords..." If they didn't contact you, you weren't affected by the leak.

Oh yes and didn't leak happen in 2020? Why didnt they do anything till leak was public?

When you discover it, you act. You can't act before you discover it, right?

Non-sensive hah. I'd call unsalted hashes of passwords sensitive. In least they did say something.

A lot of these sites store your password in plain text. Be thankful for small favors... Non-sensitive. Like the email addies, they were in the form of xxcoder@makerbot.com.

Yup, but then unsalted hashes, you can break them using rainbow tables and various methods. You can work back to any workable password. I bet you that thingverse didn't fix it either, probably didn't even fix whatever exploit person used to download all that.

Check it out... Search the phrase "plain text passwords" on that page. https://haveibeenpwned.com/PwnedWebsites. Sites are in alphabetical order. Thingiverse is nearer the bottom..

There's around 44. So something like 44 of those hacked websites stored passwords as plain text (the words "plain text" alone get around 80 hits, meaning other stuff was also unprotected.).

Any dumbbell who came across them would have them, without needed the slightest knowledge of decoding.

Remember the olden days, before internet, when businesses didn't even shred their customers' paperwork before dumping it in the dumpster? The internet hasn't made anyone smarter...

"... aware of and have addressed an internal human error ..." "Addressed". Sent him back to school? To me that says "We fired his dumb rear end."
Exploit.. From what I've gathered, I'd say backups of comments left on projects, perhaps along with forum comments, were exposed, unprotected. Thingiverse might back that stuff up in case law enforcement wanted to investigated illegal activities, like people selling drugs.

University of California ...... December 2020 ... "547 thousand unique email addresses, names, dates of birth, genders, social security numbers (!!!) ...etc.
Audi ... August 2019 ... ".. 2.7M email addresses..names, phone numbers, physical addresses.. vehicle information including VIN...some customers had driver's licenses, dates of birth, social security numbers.. .." 6 or 8 more attacks in that list involved SS numbers.. Those are the type worth worrying about.

The human race was not ready for the internet, and it still isn't. It may be the death of us. If I were King I'd shut it all down, and keep it down until the holes were patch.

As someone who has actually dealt with cybersecurity issues on a professional level, I assure you, this is also "worth worrying about" and could cause great harm to people. Sometimes one small piece of information like a name or a password or a city is all a criminal needs to find OTHER information from a different source to allow full blown identity theft. They could use the password to log on to other websites that may have MORE information about the person if a unique password wasn't used, or even without the password they can use a name or location to find additional info from a Facebook or LinkedIn profile for example. You can put information together from different sources like puzzle pieces, and sometimes you just need a small piece of information as a starting point. They can also just use a phone number or email address to do some social engineering. You'd be surprised how gullible people are. (But gullibility isn't the crime)

Of course you are right, a dedicated data analyst or even a team of them with time to follow all the traces could use even such marginal information as "maker", city or where I host my mail as the key to build a much more detailed profile.
However, the theoretical possibility is limited in real life by economical considerations.
If I have such a team at my neck then I'm in for much bigger problems than what the few personal data on thingiverse could ever bring me.

The worst collateral from such a leakage I see is when someone still comitted the cardinal error to reuse a password for more than one site. The costs of trying an email/pasword combo, or just a leaked password, on a bazillion of other sites is close to nothing and my server logs say it is tried out continously.

Errors should never happen, precautions should always be sufficient and people should give up making silly mistakes. Make it a law.

Then you know it happens 5 times a day, exposing an average of 100,000 customers information per event. But these days the internet is still just a convenience, and at worst money might be lost. Someday our lives will depend on this insecure, broken system. I suggest we fix it before "The Big One" hits, planes fall from the sky and autonomous cars drive themselves off the cliff..

I'm not commenting on the rest of that, but telling people about other worse hacks and telling them that these are the ones worth worrying about implies that this one isn't worth worrying about, that Makerbot should be given a pass, and invites people to be complacent. I don't think this is in anyone's best interests.

The technology is broken. Every company, every government agency is vulnerable. Everyone gets hacked. Everyone gets a pass.

You're right, you should boycott the internet.

I already do, to the degree that I am able.
Speaking of clever hacks, I recall there was this kid who flew his drone next to a big office building, equipped with those smart bulbs. It's nighttime, and he forced the different offices to light up, making patterns.. Pretty funny. Welcome to the Internet Of Things... Some of the hacks won't be funny at all.

Thanks for the info! Unpleasant indeed.
Just go to Makerbot account and change your password. And then open your Thingiverse account and wipe out all personal information.
Unfortunately the damage is already done, the data had leaked out, now can't stop it. Fortunately there was no financial information stored on the site, neither more sensitive personal information like phone numbers, address, real name and birth data, social security, etc. . So we should be able to move along.

.... no financial information ... but there is that PayPal linkage. I don't know what else hackers could be interested in. Doubtful it is our wonderful designs. The paypal acct might be linked to a debit card, savings, credit card or whatever type of bank account.

Hacked PayPal accounts tripled in value during pandemic
Sep 8, 2021 — Security researchers have discovered that the value of hacked PayPal accounts have spiked by 293% during the pandemic, almost tripling in a ... (itpro dot com)

Hackers are selling hacked PayPal accounts for 10 cents per dollar that is in the account.

your paypal account was exposed the moment you applied for tips. how do you think the tipping works? you login to your paypal accaunt and send amount x to paypal user y account, at that moment you have his paypal account. but that's not a security breach, it's just how paypal works.

I know how tipping works, but I don't know how hacking works.

Comment has been deleted

Thanx. I changed my pw even though i use a different one for every site. Not much they could do on here except get me banned maybe....

These hacks happens all the time, and the talk is the same...

Changed your password and email-adresse stored at Makerbot/Thingyverse, and move on.

If you use the same password elsewhere, change it too, and start using a unique password per site. The same goes for your email address.

Great advice - this is really where the risk of a hack like this comes from - usernames and passwords that are not unique to different sites. If one uses the same password over multiple sites, their password is only as safe as the site with the weakest security (like Thinginverse). A password manager is really a requirement for having a basic level of security these days. Enabling 2 factor authentication (2FA) where possible is another good way to safeguard things, but that's just "belts and suspenders" since 2FA helps if your password was hacked. Anything is better than reusing passwords though.

Oh so Thingiverse FINALLY said something, and good lord they really would've been better off staying silent: https://twitter.com/thingiverse/status/1448754035528552451

"Non sensitive" data and "change your passwords" used in the same paragraph.

I'm done. My models have been removed, and I'm closing my account.

Thingiverse needs to close NOW. Remove your files, change the descriptions to say which of the many better sites you are now using and let this steaming pile of crap finally die like it should've years ago.

All this is showing now is that Makerbot / Stratasys don't care at all about the maker community.

If Thingiverse shuts down, where will those "better" sites steal projects and customers from?
Seriously now... in 2019 alone, about 1,500 businesses were hacked, resulting in 164,000,000 customer records exposed.

Seems like a good reason to not have anything with monetary value associated with this fun little hobby.... like a PayPal account.

The real danger is in identity theft and the fact that many people use the same password for multiple services, and someone could use info from this hack to get in to something else that is more important.

Personally if my Thingiverse account disappeared tomorrow, it wouldn't really affect me a whole lot. Mild inconvenience.

My brick-n-mortar bank emailed, offering to connect a bank account to an online PayPal account. I was dumbfounded..

Thanks for the warning!

Saw Maker's Muse video just a short while ago and changed my password just in case.

Lack of response from Thingiverse speaks volumes.

I checked my email address on https://haveibeenpwned.com/ and luckily not in the Thingiverse breach, only 2 back in 2017, Disqus and some online spambot list.

Maker's Muse has a YouTube video "Thingiverse was breached ! Change your passwords..." - with frank, but fair, comments.

Thanks. Got the same message. Fortunately I use a password manager (keepassxc). And have already changed password.

MakerBot has a LOT to answer for here.

  • It was a leak of an old database dump left publicly accessible on an S3 bucket
  • The passwords are only using SHA1 with no salt - an EXTREMELY weak (and practically worthless) way of protecting passwords
  • They were told about this on twitter in September and promptly ignored it
  • Troy Hunt (creator of HaveIBeenPwned) tried to get them to disclose this, and they are STILL brushing it off with the pathetic "We're looking into it" excuse.


This is what happens when you put zero time into technical debt. I hope Makerbot burns.

Thanks for the heads up! I checked the mail address I have for thingiverse at pwned and apparently it wasn't among the leaked accounts. And the danger of collateral damage is low as I use a specific email address for almost any site, and individual passwords, too. Still changed my password immediately.

Thingiverse really should, among other security related upgrades, add 2-factor auth. Or rather should have added. A long time ago.

Thanks, I got the same notification (and already changed my password).

Data austerity is a good thing when cloud services don't guard your data effectively!

i just got one from Firefox Monitor

Thanks for the heads up!