News from haveibeenpwned.com indicates popular 3D model repository has been hacked.
The site monitors data breaches and maintains a database of compromised ids. It’s possible for anyone to use the service to check whether a specific email id — including yours — has been exposed.
Now the site reports there has been a rather large leak of credentials from Thingiverse. They explain:
“In October 2021, a database backup taken from the 3D model sharing service Thingiverse began extensively circulating within the hacking community. Dating back to October 2020, the 36GB file contained 228 thousand unique email addresses, mostly alongside comments left on 3D models. The data also included usernames, IP addresses, full names and passwords stored as either unsalted SHA-1 or bcrypt hashes. In some cases, physical addresses was also exposed. Thingiverse’s owner, MakerBot, is aware of the incident but at the time of writing, is yet to issue a disclosure statement. The data was provided to HIBP by dehashed.com.”
Indeed, an inspection of Thingiverse as I write this shows no disclosure statement, but I’m pretty certain they will be doing so shortly given the magnitude of the exposure.
Hundreds of thousands of ids is no small matter, and in fact likely represents a very large percentage of 3D printing enthusiasts worldwide.
What should you do? Well, there’s nothing you can do to stop the exposure of the data, which has already occurred. The information exposed apparently includes email addresses and associated passwords in slightly encrypted form. However, it is apparently quite easy to decode these passwords and thus obtain the actual password to the site.
You might think that exposing your lightly-used Thingiverse password isn’t that big a deal, but it could be a lot more important than you realize. Consider that a great many people actually use the same password for many services. Therefore, once a hacker has your id and a working password, they need only attempt to use it on ANY OTHER SERVICE.
Sometimes it will work if the email owner has used the same password for different services. This can be done automatically by login scripts that might test thousands of sites for potential access to your ids.
Could one of those re-used passwords be on your banking service? Your crypto exchange account?
Rule of thumb: NEVER USE THE SAME PASSWORD ON DIFFERENT SITES!
Why were the Thingiverse passwords stored in a decryptable manner? I don’t know, but you’ll have to ask MakerBot about that. The issue is that when you provide credentials to remote services, you really don’t have any idea what’s happening under the covers. Some services have extraordinarily extensive security configurations, but others may have literally nothing and store your credentials in plain text. That makes password access easy should the data ever be exposed.
MakerBot perhaps should have encrypted the passwords in a better manner, but it’s too late now.
This is what you must do right away: go to Thingiverse and change your password. Then change your password any other site that used the same password, and do it now. It’s easy to do and something that should be done regularly.
It’s also a very good idea to consider the use of two-factor authentication, which would prevent hacker access, even if the passwords were exposed. Some services offer this, and I encourage you to try it out.
One reason why people tend to use the same password is that it’s easy to remember the single password. It’s extremely difficult or even impossible to remember many different passwords, particularly if they are lengthy and confusing.
That’s why I use a password manager to keep track of my passwords. These are software utilities that record credentials when you use them, and even generate new, random passwords for new logins. There are some free services that do this function, and some better paid services. Personally, I use 1Password, but there are several others with comparable function.
This is perhaps the biggest hack in 3D print history, but it will not be the last.
Be prepared for next time.