MakerBot provided a detailed disclosure of a data leak from last October.
In October, it was revealed by haveibeenpwned.com that a major data leak occurred at Thingiverse. Evidently a database backup containing 36GB of data was circulating in the Internet underworld. The data dump allegedly contained over 228,000 unique email addresses of Thingiverse users.
Then shortly thereafter, software engineer TJ Horner, who just happened to previously work at MakerBot, performed an analysis of the dump and determined that it contained over 2M identifiable users. However, many of the identities were internal to MakerBot and Thingiverse, while only about 500 external users were affected.
Horner also warned:
“With this leaked data there is a way to take control of every internet-connected MakerBot printer owned by any user in this leak, with users unable to do anything about it. I don’t want to go into detail about this quite yet in order to give MakerBot a chance to fix it. But it’s real bad.”
This week MakerBot concluded their investigations into the affair and provided a very detailed update on the situation. While the release is definitely something you should read if you happen to be a Thingiverse user (and who isn’t?), there are some highlights I will point out.
MakerBot determined the data was mistakenly made available by human error on October 16, 2020, and remained in that state until datected on October 12, 2021. At that time the data was taken down, and MakerBot launched a comprehensive investigation.
MakerBot determined the data included information for users that had created accounts on Thingiverse from 2010 through 2018, and included the following specific information:
- User Name
- Public Twitter Handles
- Hashed Passwords
- Email Addresses
- Email Addresses Associated With Paypal (used for designer tipping)
- Self-Reported Phone Numbers
- IP Addresses
- Self-Reported Physical Addresses
- Direct Messages
- Unpublished Designs
- Tokens
MakerBot reports they have detected no suspicious attempts to make use of Thingiverse resources using the exposed information, so that’s good thing. However, the damage can go beyond Thingiverse itself.
MakerBot automatically caused a password reset on all affected Thingiverse users, which basically negates the criminal value of the data dump — on the Thingiverse site.
However, there is one problem that every affected user should be completely aware of: if you have re-used your Thingiverse password elsewhere, it may compromise accounts with other services.
Hashed passwords need a bit of an explanation. They are not literally storing the characters “mydumbpassword42”, but instead storing a mathematical transformation of this character sequence, something like “$1$B36ccs6lc$5WZ5N10quMJ62v5LCu8Jj1”.
How does that help a hacker break in? It’s actually pretty straightforward: they simply use the same hashing algorithm and repeatedly through words from a dictionary and other sources at the algorithm. If by chance one of their attempts eventually matches the stored hash value, then they have determined your password from the hash.
This password can then be re-used anywhere your email address was used as the account id.
For example, let’s say you happened to use the same password for your Thingiverse account that you also used at, say, your Amazon account. Someone inspecting the dump file could simply login to your Amazon account using the determined password and order some juicy items.
Or worse, if you happened to use the same password for your banking service, hackers could access your money. That’s one reason why everyone should consider two factor authentication for critical services. If “2FA” was used in this banking scenario, the hacker could not gain access because they’re not getting the confirmation code that went to your mobile.
Something else of note is that the Thingiverse data dump included PayPal email addresses. This is not good, as it immediately would show a hacker that the individual does have a PayPal account, and provide the id for it. Then it’s just a matter of breaking the hash to get into the PayPal account and transfer cash elsewhere.
There’s another way to reduce your exposure here: always, always, always use very long passwords. This is because there are zillions more possibilities that hackers will have to evaluate before discovering your password from the hash. Some will suggest using a variety of special characters, but they are far less important than the length of the password. In other words, this password:
“^%0-_++ffZ”
Is not nearly as effective as:
“Ring-around-the-seven-potatoes”
The latter is also far easier to remember and enter.
MakerBot has taken steps to mitigate the human error behind the exposure. They are changing their internal procedures to ensure this type of mistake does not happen again, as well as revoking all the exposed tokens.
Finally, I must say that MakerBot clearly made a mistake here, and they were caught by a hacker that scooped up their data. While it makes them look bad, don’t assume that other companies who have not suffered a data exposure are handling things better internally.
Many companies have rather sloppy security setups, and it’s only a matter of time before they lose control of some data. They may not be in the news today, but they could be in the future.
Meanwhile, my best advice is to take these three steps:
- Always use a different password for every service you use
- Always use very long memorable passwords when you are allowed to do so
- Consider using a professional password manager to keep track of your credentials
Via MakerBot