According to a researcher, a website dedicated to sharing an original created digital design called Thingiverse has leaked 36-gigabyte backup files containing 200,000 email addresses and other personal information. The data dump is currently being circulated on a known hacking forum.
The Thingiverse purpose is to give free, open-source hardware designs that can be licensed under the Creative Commons licenses or General Public License and enable sharers to select a user license type for the designs they share. In this way, creative artists can license their original work freely.
What are the leaked data?
After examining the leaked data file from the hacking site, the researcher informed the Information Security Media Group that the file was shared publicly a year ago and has remained exposed ever since.
The researcher also added that details of the leaked data are mainly email addresses, usernames, home addresses, full names, and IP addresses.
Fortunately, Thingiverse subscribers can rest easy since there is no trace of text passwords exposed in the leaked data set.
How was the leaked data of Thingiverse exposed?
A researcher known by the codename “pompompurin” on Twitter and other forums discovered the leaked data set. Pompompurin informed one cyber security firm that he found the leaked data on the first day of October 2021. The discovering researcher added that he shared it with one of his friends, who verified the leaked data and then informed the concerned site about it. Pompompurin claimed that he is not part of any transaction or communication between his friend and the website.
The researcher said that he scanned the exposed Thingiverse database on his own and confirmed that the data leakage was a by-product of a misconfigured S3 bucket from the website’s backup data.
Unfortunately, the researcher’s friend who contacted the site also leaked the data to a known hacker forum because he was disappointed about the website’s irresponsibility in addressing the situation. He then added that the website did not even reply to one of his warning messages once.
Lastly, the researcher who first discovered the leak has advised Thingiverse that he will also be publishing the leaked data after the company responded to him vaguely and failed to provide an estimated time of arrival on when to publish an official notice.