Thingiverse Data Leak Affects 228,000 Subscribers

Thingiverse, a website dedicated to sharing user-created digital design files, has reportedly leaked a 36GB backup file that contains 228,000 unique email addresses and other personally identifiable information, confirms Troy Hunt, creator of the Have I Been Pwned data breach notification service, citing the circulation of this data set on a popular hacking forum.

Thingiverse primarily provides free, open-source hardware designs that can be licensed under the GNU General Public License or Creative Commons licenses and allows contributors to select a user license type for the designs that they share – making it a popular choice among creative artists.

The Leaked Data
After analyzing the data file from the hacking forum, Hunt tells Information Security Media Group that the backup file was dumped publicly exactly a year ago on Oct. 13, 2020, and has remained exposed ever since. He adds that the leaked data appears to be a MySQL database that contains more than 255 million lines of data. “The earliest date stamps in the data set appear to go back about a decade, however, I’ve not analyzed it closely enough,” says Hunt.

Hunt says of the leaked data, “There is data on the 3D models that are publicly accessible, but there are also email and IP addresses, usernames, physical addresses and full names.”Thingiverse sample data set of the leak on a popular hacking forum (Image source: raid forum/ISMG)

Hunt says that the vast majority of the email addresses appear to be in the form of webdev+[username] and he is not sure why this is done. Following is an example of a complete record fetched from the data table: 1[XXXXX]1,'[username]’,’webdev+[username]’,’$2y$10$X26cQ2uz5Uh1EyfIabIpguXHcS7G3uJ1AC8MnvxQ7dlFewy8wUWQq’,NULL,NULL,”,0,”,’2018-02-19 06:07:43′,’2018-02-19 05:51:17′,0,’cc-sa’,1,1,1,1,1,1,1,NULL,0,0,0,0,”,0,’AR’,’Maker/Consumer’,”,’1099′,0,’199[X]-0[X]-25 00:00:00′,NULL,0,NULL

Additionally, Hunt notes the presence of bcrypt password hashes in the above example, as well as the date of birth of the user being exposed.

Thingiverse users, however, can breathe a bit easily as there is no sign of plain text password exposure in this data set. “I haven’t found passwords at this time,” Hunt tells ISMG.

Both ISMG and Hunt have tried several times to reach MakerBot, the owner of Thingiverse, which is a 3D printer manufacturing company headquartered in New York. The company has not responded. Hunt took to Twitter, asking if anyone had contacted MakerBot’s security team.

After the tweet was posted, a spokesperson from MakerBot contacted Hunt and said that the company is “currently looking into this.”

Hunt says that although he wants to notify his Have I Been Pwned subscribers at the earliest opportunity, “I’d prefer to have MakerBot do appropriate disclosure first.”

The Discovery
The exposed data set was first discovered by a researcher and cyber enthusiast known by the alias “pompompurin” on Twitter and other forums. Pompompurin tells ISMG that he made the discovery on Oct. 1, 2021, and shared it with one of his friends, who further verified it and then informed Thingiverse and MakerBot about it through email correspondence. Pompompurin says he is not sure what exactly was written in the email as he was not a part of that communication.

Saying that he scanned the exposed database himself, Pompompurin confirms that the leaked data set was a result of a “misconfigured S3 bucket” from Thingiverse’s backup data.

MakerBot did not respond to his friend’s email and, losing patience, the friend leaked the data on a known hacker forum, says Pompompurin, who justifies this action by stating, “They deserve that to happen after being so reckless as to leaving a backup public.”

Hunt says of Thingiverse and MakerBot, “I have been trying to get in touch since Saturday. It’s Wednesday now. I may just have to notify my subscribers anyway.”

According to the latest correspondence from Hunt, he has advised Thingiverse that he will be publishing the leak information on Oct.14 after the company responded to him saying they are “taking this matter very seriously” but failed to provide an ETA on when they would be issuing a formal notice.

Last week, Plug and Play Ventures, a Silicon Valley VC firm, was involved in a similar data leak incident when the company left an Amazon S3 bucket open to the internet (see: Silicon Valley VC Firm Leaked ‘Deal Flow’ Data).