Articles

Thingiverse data breach, 228,000 files on the dark web 2021

The 3D printing enterprise suffered a mass data breach, losing custody of 228,000 subscribers’ data. Although the breach occurred in October of 2020, breach notification provider ‘Have I Been Pwned’ states that present circulation of this data in underground dark web communities could be problematic. The 3D printing group, known as Thingiverse, states that it is “taking this matter very seriously.”

Why this data breach is significant

Thingiverse, whose parent company is MakerBot, was developed for the maker community, which sees enthusiastic participation in Silicon Valley and beyond. Thingiverse serves as a repository where ‘makers’ can post 3D print model designs. As of two years ago, the platform reported more than two million registered users and facilitated more than 340 million object downloads. Since then, Thingiverse has expanded to new user populations and grown exponentially.

In addition to offering over 1.5 million design files, the site provides options for design customization via a Customizer tool, or via OpenSCAD. The platform also permits the uploading of models under the GNU General Public or Creative Commons licenses. In turn, the platform has transformed into a forum for certain kinds of creative types who wish to share and discuss work.

Nonetheless, the open nature of the platform renders it vulnerable to cyber breaches. In December of 2017, a bug within the comments section of the site enabled bad actors to quietly mine cryptocurrencies. The perpetrators leveraged the CPU power of visitors’ devices to solve certain mathematical problems required for mining Bitcoin and other forms of crypto.

This crypto mining episode in MakerBot’s history was eventually resolved. Security issues enabling the crypto mining were righted. User data was never compromised and those responsible for the hijacking were banned from the platform.

In contrast, the data breach at-hand involves 255 million lines of data and includes usernames, physical addresses and persons’ legal names.  As noted earlier, 228,000 pieces of data are involved. And, according to Troy Hunt, who runs Have I Been Pwned, “228k is also just the unique *real email addresses*; on top of that are well over 2M addresses in the form of webdev+[username] @makerbot.com, alongside password hashes. The highest ID in the users table 2,857,418 so the scope is much bigger.”

Where to go from here

Cyber security expert Troy Hunt first received information about this data breach by another cyber aficionado. After investigating the information cache on October 1st of 2021, the pair verified its validity and identified the source of the issue. Shortly thereafter, MakerBot, the parent company for Thingiverse, was contacted directly.

The company did not provide a swift response to the security incident report, prompting the white hat cyber investigators to Tweet about the breach. A spokesperson for MakerBot stated that teams attribute the leak to an internal human error. Members of the Thingiverse community are encouraged to update passwords as a precautionary measure. MakerBot also apologized for the incident and regrets any user inconveniences.

In conclusion

Cyber security breaches are growing increasingly common. In the past decade, more than 4 billion records have been stolen or leaked. A data breach can happen within any organization. Get breach prevention insights here. Also, be sure to read our article titled How to Improve Security After a Data Breach. Lastly, for more cyber security and business insights, analysis and resources, sign up for the Cyber Talk newsletter.

 

Back to top button