HaveIBeenPwned.com have added Thingiverse to their list of breached websites yesterday, 14th October. Thingiverse is a go too for 3D printing .STL files and hobbyists worldwide, which apparently has some sketchy security protocols.
Thingiverse allows users to upload and download files of 3D models that can be sliced and printed on STL and Resin 3D printers. They have an easy-to-follow license system that makes sure users get credited for their own work which gave them control over creative use for their designs.
Troy Hunt, the creator of Have I Been Pwned, has been trying to reach out to Thingiverse and their New York-based parent company Maker Bot for days before notifying the public of a data breach:
The breach was originally discovered by Pompompurin, an avid cyber researcher, who hasn’t taken to kindly to someone else claiming the discovery to promote their website it seems:
Thingiverse Hacked – How Did It Happen?
Long story short, they left a backup in a public directory. A misconfigured S3 Bucket opened up their cloud environment, which meant the information was publicly readable and exposed to a data breach. FYI, if write privileges were enabled too, malware and encryption methods could have easily held a company like Maker Bot/Thingiverse to ransom.
This is becoming a repeat issue with big businesses with Silicon Valley VC firm Play And Play Ventures having the same issue. Luckily, the Thingiverse data breach didn’t have any full passwords written down, but some date of birth information was present. Just to be safe, we’d recommend logging in and changing your password just to be safe.
For the latest tech news, make sure to bookmark and keep an eye on our News Hub.
