Bad news at Thingiverse - Security breach
 
Notifications
Clear all

Bad news at Thingiverse - Security breach  

  RSS
bobstro
(@bobstro)
Illustrious Member
Bad news at Thingiverse - Security breach

There has apparently been a security breach at Thingiverse and it sounds like usernames and passwords have been stolen and very likely in a state that can be used by would-be attackers. 

To make things worse, when I attempted to change my Thingiverse password, it asks for a PayPal username, which is highly unusual as I've never used PayPal at any Makerbot site.

I'm not going to interact with the site at all for now. Hopefully, everybody used a unique password and -- ideally -- separate email account. If not, definitely check any accounts that you shared passwords and logins with.

My notes and disclaimers on 3D printing and miscellaneous other tech projects
He is intelligent, but not experienced. His pattern indicates two dimensional thinking. -- Spock in Star Trek: The Wrath of Khan...
Posted : 14/10/2021 3:01 pm
bobstro
(@bobstro)
Illustrious Member
Topic starter answered:
Ahm... PayPal Montenegro?

The PayPal.me DNS entry points to Montenegro. No idea what's going on, but suffice to say, it doesn't look legit.

My notes and disclaimers on 3D printing and miscellaneous other tech projects
He is intelligent, but not experienced. His pattern indicates two dimensional thinking. -- Spock in Star Trek: The Wrath of Khan...
Posted : 14/10/2021 3:36 pm
RedDawg
(@reddawg)
Reputable Member

Why no mention of this on the Thingiverse website?

1. "Creativity is the sudden cessation of stupidity." and "Any problem can be solved with the materials in the room." -Edwin Land, inventor of the Polaroid Land Camera. 2. "If I can't fix it, it isn't broken." -Me....
Posted : 14/10/2021 4:04 pm
bobstro
(@bobstro)
Illustrious Member
Topic starter answered:
Makerbot seems slow in responding
Posted by: @reddawg

Why no mention of this on the Thingiverse website?

Not sure. Curious if anybody else is getting the weird paypal.me message when trying to change passwords.

My notes and disclaimers on 3D printing and miscellaneous other tech projects
He is intelligent, but not experienced. His pattern indicates two dimensional thinking. -- Spock in Star Trek: The Wrath of Khan...
Posted : 14/10/2021 5:35 pm
bobstro
(@bobstro)
Illustrious Member
Topic starter answered:
More details

Six days on and I haven't seen anything out of Makerbot.

We have asked Brooklyn-based Makerbot for comment on Hunt's observations, which stretch for a number of tweets that can be read in full by clicking the one above. The company does not appear to have publicly acknowledged the breach so far.

It does seem passwords and data were not well protected (encrypted):

HIBP's maintainer also claimed that some of the data included poorly encrypted passwords: one he highlighted was an unsalted SHA-1 hash which resolved to the password "test123".

More press on The Register.

My notes and disclaimers on 3D printing and miscellaneous other tech projects
He is intelligent, but not experienced. His pattern indicates two dimensional thinking. -- Spock in Star Trek: The Wrath of Khan...
Posted : 14/10/2021 9:22 pm
cwbullet
(@cwbullet)
Illustrious Member
Terrible

I completely missed this.  This is terrible.  They should be more transparent.  

--------------------
Chuck H
3D Printer Review Blog...
Posted : 14/10/2021 10:55 pm
Diem
 Diem
(@diem)
Noble Member

Six days on and I haven't seen anything out of Makerbot.

Angus at Makers Muse seems to have the answer, essentially the site is hosted but not maintained or curated.  It is basically a zombie.

Cheerio,

Posted : 15/10/2021 12:50 am
bobstro liked
MysDawg
(@mysdawg)
Eminent Member
Thingiverse

There continue to be 100s of items posted daily since the breach.....

Posted : 16/10/2021 7:08 pm
Patrick McNamara
(@patrick-mcnamara)
Estimable Member
Password change

I changed my password and it went through without any odd prompts.  Logged in, went to my Account Settings, clicked on Makerbot Account and filled in the appropriate fields.

Perhaps of more interest is that this is a Makerbot account, not just a Thingiverse account.  I'm not a Makerbot user so I don't know what info may be associated with such and account for other Makerbot sites/services.

Posted by: @bobstro
Posted by: @reddawg

Why no mention of this on the Thingiverse website?

Not sure. Curious if anybody else is getting the weird paypal.me message when trying to change passwords.

 

Posted : 17/10/2021 1:38 pm
Diem
 Diem
(@diem)
Noble Member

I suggest caution.  I have seen no evidence that the breach is closed ... you might just be giving the hackers a new set of personal details.

Cheerio,

Posted : 17/10/2021 7:00 pm
bobstro
(@bobstro)
Illustrious Member
Topic starter answered:
At this point, be sure your other accounts are secure. Anything on Makerbot is a lost cause.
Posted by: @diem

I suggest caution.  I have seen no evidence that the breach is closed ... you might just be giving the hackers a new set of personal details.

I've made a point of using a unique email alias and a completely unique password at every public site for exactly this reason. I consider anything from Makerbot untrustworthy at this point. Any mail I receive from that mail alias is going to get flagged.

If anybody has been sharing usernames and passwords at multiple sites, this is a prime reason not to. Changing your password at Makerbot won't help. You need to change it everywhere else you've used the same credentials. Look into a password manager if you haven't already, and keep your "fun stuff" separate from your "important stuff".

 

My notes and disclaimers on 3D printing and miscellaneous other tech projects
He is intelligent, but not experienced. His pattern indicates two dimensional thinking. -- Spock in Star Trek: The Wrath of Khan...
Posted : 17/10/2021 7:48 pm
aeberbach
(@aeberbach)
Active Member
Account change!

Deleted Thingiverse account. Seems safest. But yeah, definitely never, ever reuse a password over multiple sites.

Posted : 17/10/2021 11:21 pm
RedDawg
(@reddawg)
Reputable Member
Ditto

I didn't have any problems changing mine as well.

1. "Creativity is the sudden cessation of stupidity." and "Any problem can be solved with the materials in the room." -Edwin Land, inventor of the Polaroid Land Camera. 2. "If I can't fix it, it isn't broken." -Me....
Posted : 18/10/2021 1:37 am
jsw
 jsw
(@jsw)
Noble Member

I just changed my Thingiverse/Makerbot password and it did not ask for any Paypal information.

I use a machine-generated 'gobbledygook' password for each site.

Posted : 18/10/2021 6:32 am
Share: