Popular 3D print service Shapeways announced today they’ve experienced a possibly major security incident.
We are currently investigating an incident involving unauthorized access to our systems. The intruders may have accessed some user names, email addresses, and shipping addresses. They did not access any model files. Additionally, the intruders did not access full credit card information because we do not store such information on our systems. We have not observed any actual misuse of your user information.
In addition, it appears that the hash file for user passwords has been exposed. For those unfamiliar, a “hash” is a jumbled but unique sequence of characters made from the original password. They store these hashes instead of storing the passwords themselves for security reasons. However, persistent perps could theoretically use a brute force technique to discover the actual passwords by repeatedly (and I mean millions of times) testing hypothetical passwords to see if their hash matches that stored in Shapeways’ file.
Eventually, it’s possible your password could be identified.
Therefore, Shapeways also announced they’ve automatically reset everyone’s password. You’ll have to set up a new one the next time you login.
Worse, if you happened to use the same user and password combination on other systems, it’s also possible your exposed credentials might be used on those systems. While Shapeways’ password reset is good for Shapeways users, it does nothing for any other service you might be using with the same credentials.
Best to change your passwords on any critical services elsewhere. Yes, this is a pain, but it is also common sense and good insurance.
This is, if I recall correctly, the first time a 3D print-related service has been compromised – THAT WE KNOW ABOUT. While unfortunate, it is all too common in today’s online world; sites are hacked into every day.
What’s interesting about this announcement is that Shapeways specifically mentioned that the 3D model files were not accessed.
But what if they had been? What if someone made off with the ENTIRE Shapeways collection? It would comprise many, many thousands of the very best artistic works by almost every designer working in 3D marketing their works.
Imagine if such a theft occurred and these models started appearing on random 3D repository sites, available for free download and sharing? That would surely be a catastrophe for the artists that spent considerable time developing these 3D models.
Perhaps artists should consider watermarking all 3D models submitted to online marketplaces?
But, as it turns out, that’s NOT the scenario that happened today. Hopefully it won’t happen anytime soon.