Bad news at Thingiverse - Security breach  

Ahm... PayPal Montenegro?

The PayPal.me DNS entry points to Montenegro. No idea what's going on, but suffice to say, it doesn't look legit.

Why no mention of this on the Thingiverse website?

Makerbot seems slow in responding

Posted by: @reddawg

Why no mention of this on the Thingiverse website?

Not sure. Curious if anybody else is getting the weird paypal.me message when trying to change passwords.

More details

Six days on and I haven't seen anything out of Makerbot.

We have asked Brooklyn-based Makerbot for comment on Hunt's observations, which stretch for a number of tweets that can be read in full by clicking the one above. The company does not appear to have publicly acknowledged the breach so far.

It does seem passwords and data were not well protected (encrypted):

HIBP's maintainer also claimed that some of the data included poorly encrypted passwords: one he highlighted was an unsalted SHA-1 hash which resolved to the password "test123".

More press on The Register.

Terrible

I completely missed this.  This is terrible.  They should be more transparent.  

Six days on and I haven't seen anything out of Makerbot.

Angus at Makers Muse seems to have the answer, essentially the site is hosted but not maintained or curated.  It is basically a zombie.

Cheerio,

Thingiverse

There continue to be 100s of items posted daily since the breach.....

Password change

I changed my password and it went through without any odd prompts.  Logged in, went to my Account Settings, clicked on Makerbot Account and filled in the appropriate fields.

Perhaps of more interest is that this is a Makerbot account, not just a Thingiverse account.  I'm not a Makerbot user so I don't know what info may be associated with such and account for other Makerbot sites/services.

Posted by: @bobstro

Posted by: @reddawg

Why no mention of this on the Thingiverse website?

Not sure. Curious if anybody else is getting the weird paypal.me message when trying to change passwords.

I suggest caution.  I have seen no evidence that the breach is closed ... you might just be giving the hackers a new set of personal details.

Cheerio,

At this point, be sure your other accounts are secure. Anything on Makerbot is a lost cause.

Posted by: @diem

I suggest caution.  I have seen no evidence that the breach is closed ... you might just be giving the hackers a new set of personal details.

I've made a point of using a unique email alias and a completely unique password at every public site for exactly this reason. I consider anything from Makerbot untrustworthy at this point. Any mail I receive from that mail alias is going to get flagged.

If anybody has been sharing usernames and passwords at multiple sites, this is a prime reason not to. Changing your password at Makerbot won't help. You need to change it everywhere else you've used the same credentials. Look into a password manager if you haven't already, and keep your "fun stuff" separate from your "important stuff".

Account change!

Deleted Thingiverse account. Seems safest. But yeah, definitely never, ever reuse a password over multiple sites.

Ditto

I didn't have any problems changing mine as well.

I just changed my Thingiverse/Makerbot password and it did not ask for any Paypal information.

I use a machine-generated 'gobbledygook' password for each site.