Thingiverse Database of 228,000 Users Circulates the Web

A 36GB database containing data from 228,000 Thingiverse accounts has been circulating on malicious hacker forums for over a year. In addition to email and IP addresses, these are full names that users may have entered.

The 36GB backup file contains 228,000 unique email addresses. The file appeared on the Internet a year ago. The MySQL database has been circulating on the internet ever since, Troy Hunt of Have I Been Pwned told DataBreach Today. According to him, the oldest entry in the database is from at least ten years ago and the database also contains full names. The passwords are hashed with bcrypt and therefore not available in plain text. It is unclear whether PayPal usernames are also part of the data breach.

The file was reportedly discovered by Twitter user last week Pompompurin. He reports to DataBreach Today that a friend of his tried to warn Thingiverse and parent company MakerBot, but received no answer. That friend would then have put a sample of the data breach on a forum where these types of stolen files are often offered for payment.

Subsequently, Troy Hunt tried to contact MakerBot and Thingiverse, but was initially unsuccessful. After a call he was told that MakerBot was looking into the matter. Because there was no public notification from the company that it had to do with a data breach, Hunt decided to make it known via Have I Been Pwned.

Thingiverse is a site where users can share designs for 3D printers, among other things, under a GNU General Public License or Creative Commons license.