Thingiverse User data Leak

Following the data leak on Thingiverse, we would like to share more information regarding this event and to provide an update on the steps we are taking to reduce the possibility of future potential risk for our users.

We sincerely apologize for this incident and regret any inconvenience it may have caused and remain committed to protecting the privacy of our users. As necessary, we will keep enhancing our internal policies to minimize the possibility of human errors in the future. 

Keeping Thingiverse free and open to everyone is important to drive innovation and grow 3D printing, and we would like to thank you for being part of this community.

What happened?

On October 16, 2020, some Thingiverse users’ information was accidentally made publicly available by an internal human error. On October 12, 2021, this data leak was brought to MakerBot’s attention. As soon as we were informed of the leak, we started analyzing the source and nature of the leak, its potential implications on the security of our user’s data and the implementation of the necessary measures to mitigate any potential risk for your security.

What user information has been compromised?

The leak is limited to data from users that created Thingiverse accounts between 2010 and 2018 and includes the following categories of data: user name, public Twitter handles, hashed passwords, email addresses, email addresses associated with PayPal accounts (which were used to tip Thingiverse users for their designs), self-reported phone numbers, IP addresses, self-reported physical addresses, direct messages, unpublished designs, and tokens. 

Has Thingiverse identified unusual attempts to access the exposed accounts?

We have not identified any suspicious attempts to access Thingiverse accounts or use the exposed tokens, and the current Thingiverse production platform was deemed unharmed. As a precautionary measure we have reset all the passwords of those accounts who have had their email address exposed. Regardless, we encourage you to proactively change your password from time to time and use a unique password for each service you use online.

What actions were taken?

In order to minimize the implications of the data leak, we took the following actions:

- Validated the source of the leak, fixed the internal error, and removed public access to exposed data on Thingiverse.com. However, if copies of the data were made, that information may still be available to third parties.
- Revoked access to all compromised tokens.
- Identified and, as a precaution, proactively reset the passwords of those users who have had their email addresses exposed, whether their hashed passwords had been exposed or not.

What actions are we taking to minimize the possibility of future potential risks?

We are taking the following steps to improve the security of our users’ data and minimize the possibility of future potential risks:

- Identifying areas of possible process automation to help mitigate human errors.
- Identifying additional security measures to strengthen account safety.
- Addressing internal processes and protocols to identify gaps and areas of improvement.

How can I improve the security of my personal data?

To improve the security of your data, we encourage you to create strong complex passwords that are unique to each of your accounts. Do not use the same password more than once. Use a mix of special characters, uppercase and lowercase letters, and numbers. Change passwords regularly, and do not share passwords with anyone.

Whom can I contact if I have any concerns regarding this incident?

Please contact privacy@makerbot.com with further questions or concerns.