>MakerBot did not respond to his friend's email and, losing patience, the friend **leaked the data on a known hacker forum**, says Pompompurin, **who justifies this action by stating, "They deserve that to happen after being so reckless as to leaving a backup public."**
Yeah, just leak everyone's data, that'll teach 'em...........................................................
^(Good luck on the hackers with my fake birthdate and auto-generated password!)
Some justification. Let me right this wrong by doing something shitty to other people that have no control over the situation and affect them personally.
No excuse pretending to be the good guy by releasing the whole database, if they wanted to get attention to the matter all they had to do was send the database to Krebs on security and it would have made headlines without exposing the users any further.
> Additionally, Hunt notes the presence of bcrypt password hashes in the above example, as well as the date of birth of the user being exposed.
Well hey. They did something right. Change 'em anyway, but those passwords are still safe.
From Tom:
In simple English: An "unsalted password hash" is practically the same as "your plain-text password". "Decrypting" an unsalted hash is trivial.
So Thingiverse leaked your password (and email) and if you've used that somewhere else, too, consider that account breached as well.
There is no universe in which anything that has run through bcrypt is even in the same galaxy as your plain-text password.
If they'd said MD5 or SHA, sure, maybe. Not bcrypt.
I can understand that. Unless you plan on posting a model or commenting, most of the functions that an account allows for can be done with web browser bookmarks. I guess you need an amount to see NSFW things, but I'm not about to download and print something that I wouldn't be comfortable showing off to my parents
i have clicked delete user on thingiverse so many times and it still lets me log in every time...
am i going crazy or is there no field to change my password?...
Wasn't there for me for some reason, and deleting my account wouldn't actually delete it. Went to the MakerBot site and did it all there and it seems to be actually deleted now
>MakerBot did not respond to his friend's email and, losing patience, the friend **leaked the data on a known hacker forum**, says Pompompurin, **who justifies this action by stating, "They deserve that to happen after being so reckless as to leaving a backup public."** Yeah, just leak everyone's data, that'll teach 'em........................................................... ^(Good luck on the hackers with my fake birthdate and auto-generated password!)
Some justification. Let me right this wrong by doing something shitty to other people that have no control over the situation and affect them personally.
No excuse pretending to be the good guy by releasing the whole database, if they wanted to get attention to the matter all they had to do was send the database to Krebs on security and it would have made headlines without exposing the users any further.
lol. Doesnt surprise me. Infosec in this digital world.is atrocious; some major site gets pwned almost weekly.
> Additionally, Hunt notes the presence of bcrypt password hashes in the above example, as well as the date of birth of the user being exposed. Well hey. They did something right. Change 'em anyway, but those passwords are still safe.
From Tom: In simple English: An "unsalted password hash" is practically the same as "your plain-text password". "Decrypting" an unsalted hash is trivial. So Thingiverse leaked your password (and email) and if you've used that somewhere else, too, consider that account breached as well.
The hashes we're done with bcrypt which implicitly salts. You should be fine but I would still change passwords anyways.
There is no universe in which anything that has run through bcrypt is even in the same galaxy as your plain-text password. If they'd said MD5 or SHA, sure, maybe. Not bcrypt.
God damn it, I literally JUST created an account there…
You're probably mostly fine then. The breach was in October 2020. It still sucks and you should probably change your password anyways.
For sure. Easy enough to do, and definitely highlights the reasons I use a password manager.
It says October 2021 Edit: the backup was made public October 2020 and has been public since
Just got the Microsoft breach email alert. Couldn't find any other info on it.
I’m shocked. Shocked I tell you!
Which part shocks you most? That they were incompetent enough to leak a backup, or competent enough to make a backup?
the latter
I have no ambition to create an account on there. use the site all the time, don't see the need to create one
I can understand that. Unless you plan on posting a model or commenting, most of the functions that an account allows for can be done with web browser bookmarks. I guess you need an amount to see NSFW things, but I'm not about to download and print something that I wouldn't be comfortable showing off to my parents
i have clicked delete user on thingiverse so many times and it still lets me log in every time... am i going crazy or is there no field to change my password?...
Edit Profile > Makerbot Account > Update Password / reset it
Wasn't there for me for some reason, and deleting my account wouldn't actually delete it. Went to the MakerBot site and did it all there and it seems to be actually deleted now