back to article 3D printing site Thingiverse suffers breach of 228,000 email addresses amid sluggish disclosure

Thingiverse, a site that hosts free-to-use 3D printer designs, has suffered a data breach – and at least 228,000 unlucky users' email addresses have been circulating on black-hat crime forums. News of the breach came from Have I Been Pwned (HIBP), whose maintainer Troy Hunt uploaded the 228,000 breached email addresses to the …

  1. Mike 137 Silver badge

    Not just companies

    "some companies just don't want to hear bad news – which makes it all the more important to get through to them"

    Such examples are minor signs of a very deep problem. Eric Haseltine's 'The spy in Moscow Station' [Icon Books 2019] describes the extraordinary contortions that various US government agencies went through to ignore evidence that pretty much all official communications to and from the US embassy in Moscow were being read in real time by the Soviet security services. This got as extreme as, when hardware keystroke exfiltration modifications were found in a golfball typewriter used in the Ambassador's private office, it was rumoured that the NSA officer in charge of the discovery had fabricated the evidence to improve his career prospects.

  2. SusiW
    FAIL

    Not Surprised.

    Sadly, since the sale of Thingiverse (MakerBot) to a certain company, this once hallowed site has started to suffer from a lack of funding.

    Something like this was bound to happen. I'm just surprised it took so long to occur.

  3. Shez

    "the exposure of some non-sensitive user data for a handful of Thingiverse users."

    I'm not sure I agree that email addresses and unsalted password are non-sensitive

    1. Our Lord and Savior Rahl

      Certainly from a GDPR perspective the former depends. If it's a personal email address then it would be classed as personal data, and a company one (the usual forename, surname, company domain) includes your full name and place of employment which is definitely within the remit!

  4. adam payne

    We have not identified any suspicious attempts to access Thingiverse accounts

    Well if you leaked usernames and passwords what would you consider to be a suspicious attempt?

    and we encouraged the relevant Thingiverse members to update their passwords as a precautionary measure

    Who would they be then?, will these members be contacted or have their passwords automatically reset?

    1. The commentard formerly known as Mister_C Silver badge

      "will these members be contacted or have their passwords automatically reset?"

      No and No. Most TV users don't expect to hear anything from the unresponsive team at TV these days.

      I learned of the leak because TV user rssalerno posted a message in a TV group (then read about it on el reg, Gareth posted his story at about the same time. Confirmed that my account is one of the "handful" via "have I..."

      Password is unique to that site, but changed it on the site and updated my password manager just in case some joker wants to upload anything to my account.

      1. Steve Evans

        Exactly the same here.

        Unique email and password on TV. Found the email on have I been pwned.

        Changed my password on TV.

        Still awaiting notification of breach email...

        1. Swarthy

          Days later, and I am still waiting for my notification.

          Hmmmm.....

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like