I’ve learned more about the Thingiverse security breach we reported on yesterday, and it could be not as bad as initially thought.
For those who have not yet heard, security researchers discovered a dump of Thingiverse data circulating online, and that it contained, among other things, security credentials for some Thingiverse users.
According to the report on HaveIBeenPwned.com, some 228,102 accounts were exposed. This includes the email address, as well as a lightly-encrypted password.
However, this may not be as bad as it looks. TwoSense Software Engineer TJ Horner examined the data dump and learned quite a bit about what happened. This data can be analyzed by anyone because, well, the data has been published online.
Horner’s analysis is notable because they previously worked at MakerBot, the operator of Thingiverse, and should have some additional insights into the data. According to their analysis:
Horner said the data is actually from a staging database that contains data from Thingiverse’s activity up until May 18, 2018. Data created after that data was not in the data dump. Apparently an incredible 2,079,011 users were included in the dump.
Since the revelation of the leak, MakerBot has indicated there were only about 500 users affected. Horner believes this is because that’s the number of non-MakerBot accounts in the dump, the remainder being internal accounts.
Horner explains the content of the dump:
“This means ALL real, live production data Thingiverse had on users until that point was leaked, of note:”
- Hashed passwords (SHA-1 or bcrypt)
- Physical addresses
- DMs between users
- Moderation logs
Horner also points out a warning, saying:
“With this leaked data there is a way to take control of every internet-connected MakerBot printer owned by any user in this leak, with users unable to do anything about it. I don’t want to go into detail about this quite yet in order to give MakerBot a chance to fix it. But it’s real bad.”
That sounds ominous, but it may be related to the physical addresses contained in the data dump. If that’s the case, then certainly many of these addresses will have changed in the 3.5 years that have elapsed since the data dump occurred.
It’s even less than that because the data dump goes all the way back to Thingiverse’s origin in 2008. Over that long duration it’s certain that many of the Internet-connected devices have been retired or replaced with more advanced equipment.
As of this morning, I have not seen an official announcement from MakerBot regarding the situation, but I do know they are aware of the incident and are no doubt preparing a statement and taking action internally.
In the meantime, I strongly recommend you change your passwords, not only on Thingiverse, but also any other site where you happened to use the same email address and password combination. If your email and password were exposed from Thingiverse, they might be used elsewhere. I also strongly recommend turning on two-factor authentication for any critical services you might use, such as your banking site.