Bad news at Thingiverse - Security breach
There has apparently been a security breach at Thingiverse and it sounds like usernames and passwords have been stolen and very likely in a state that can be used by would-be attackers.
To make things worse, when I attempted to change my Thingiverse password, it asks for a PayPal username, which is highly unusual as I've never used PayPal at any Makerbot site.
I'm not going to interact with the site at all for now. Hopefully, everybody used a unique password and -- ideally -- separate email account. If not, definitely check any accounts that you shared passwords and logins with.
and miscellaneous other tech projects
He is intelligent, but not experienced. His pattern indicates two dimensional thinking. -- Spock in Star Trek: The Wrath of Khan
Ahm... PayPal Montenegro?
The PayPal.me DNS entry points to Montenegro. No idea what's going on, but suffice to say, it doesn't look legit.
and miscellaneous other tech projects
He is intelligent, but not experienced. His pattern indicates two dimensional thinking. -- Spock in Star Trek: The Wrath of Khan
Why no mention of this on the Thingiverse website?
Hear ye, Hear ye! Step right up folks and get your Government salvation here! Less than $.002 per word! Amazon.com/dp/B0B8XMMFP4
Makerbot seems slow in responding
Why no mention of this on the Thingiverse website?
Not sure. Curious if anybody else is getting the weird paypal.me message when trying to change passwords.
and miscellaneous other tech projects
He is intelligent, but not experienced. His pattern indicates two dimensional thinking. -- Spock in Star Trek: The Wrath of Khan
More details
Six days on and I haven't seen anything out of Makerbot.
We have asked Brooklyn-based Makerbot for comment on Hunt's observations, which stretch for a number of tweets that can be read in full by clicking the one above. The company does not appear to have publicly acknowledged the breach so far.
It does seem passwords and data were not well protected (encrypted):
HIBP's maintainer also claimed that some of the data included poorly encrypted passwords: one he highlighted was an unsalted SHA-1 hash which resolved to the password "test123".
and miscellaneous other tech projects
He is intelligent, but not experienced. His pattern indicates two dimensional thinking. -- Spock in Star Trek: The Wrath of Khan
Terrible
I completely missed this. This is terrible. They should be more transparent.
--------------------
Chuck H
3D Printer Review Blog
Six days on and I haven't seen anything out of Makerbot.
Angus at Makers Muse seems to have the answer, essentially the site is hosted but not maintained or curated. It is basically a zombie.
Cheerio,
Thingiverse
There continue to be 100s of items posted daily since the breach.....
Password change
I changed my password and it went through without any odd prompts. Logged in, went to my Account Settings, clicked on Makerbot Account and filled in the appropriate fields.
Perhaps of more interest is that this is a Makerbot account, not just a Thingiverse account. I'm not a Makerbot user so I don't know what info may be associated with such and account for other Makerbot sites/services.
Why no mention of this on the Thingiverse website?
Not sure. Curious if anybody else is getting the weird paypal.me message when trying to change passwords.
I suggest caution. I have seen no evidence that the breach is closed ... you might just be giving the hackers a new set of personal details.
Cheerio,
At this point, be sure your other accounts are secure. Anything on Makerbot is a lost cause.
I suggest caution. I have seen no evidence that the breach is closed ... you might just be giving the hackers a new set of personal details.
I've made a point of using a unique email alias and a completely unique password at every public site for exactly this reason. I consider anything from Makerbot untrustworthy at this point. Any mail I receive from that mail alias is going to get flagged.
If anybody has been sharing usernames and passwords at multiple sites, this is a prime reason not to. Changing your password at Makerbot won't help. You need to change it everywhere else you've used the same credentials. Look into a password manager if you haven't already, and keep your "fun stuff" separate from your "important stuff".
and miscellaneous other tech projects
He is intelligent, but not experienced. His pattern indicates two dimensional thinking. -- Spock in Star Trek: The Wrath of Khan
Account change!
Deleted Thingiverse account. Seems safest. But yeah, definitely never, ever reuse a password over multiple sites.
Ditto
I didn't have any problems changing mine as well.
Hear ye, Hear ye! Step right up folks and get your Government salvation here! Less than $.002 per word! Amazon.com/dp/B0B8XMMFP4
I just changed my Thingiverse/Makerbot password and it did not ask for any Paypal information.
I use a machine-generated 'gobbledygook' password for each site.