Every week there seems to be another set of eye-catching data leaks, and this time, it’s the service that many people in our community pay attention to. A database backup of thingiverse, a popular 3D model sharing website, has been leaked online, including 228000 e-mail addresses, full names, addresses and passwords, which are stored as non salt SHA-1 or bcrypt hashes. If you have an account on thingiverse, it may be worth searching your email address just to make sure you should also change your password on the website. Our informal tests show that not all accounts are included in the leak, which seems to be related to the comments left on the website.
In addition to the severity of the leak itself, the choice of encryption should attract some attention. SHA-1 and bcrypt may be regarded as damaged or most vulnerable in 2021, so that any website avoids migrating to a more powerful algorithm, indicating that thingiverse pays very little attention to website security. We think this is a useful warning for other website operators in our field to check and upgrade their encryption, but we doubt that readers will agree that this will not be the last time we report such vulnerabilities and nervously check our own login details.