Thingiverse Data Breach Reveals 2M Users’ Passwords and Email Addresses
Author: Trend Micro
This article is from Trend Micro.
MakerBot’s Thingiverse, a website where users can share 3D printing templates and designs, was recently the victim of a major data breach that resulted in the exposure of over 2 million users’ passwords and email addresses.
The breach was initially reported to have affected 228,000 email addresses, but TJ Horner, a software engineer who worked at MakerBot, analyzed the leaked data and found that it actually affects more than 2 million users. Horner added that the breach includes OAuth tokens that may have been used to remotely access and take control of MakerBot printers.
Thingiverse posted a statement regarding the data breach on Twitter, but their view of the scope of the breach — specifically the number of users affected — is much smaller than seems to be the case.
Thingiverse’s Twitter statement
Thingiverse claims that less than 500 users were affected but in addition to TJ Horner, Troy Hunt, the creator of HaveIBeenPwned.com, believes otherwise. HaveIBeenPwned provides notifications to users when their email addresses are part of known breaches, and Troy has confirmed that the Thingiverse breach has affected far more than only 500 users. Troy stated on Twitter that at least 10,646 HaveIBeenPwned users were notified of the breach and a lot of them have been confirmed as Thingiverse users, too.
Troy Hunt isn’t in agreement with Thingiverse
As of right now, it does in fact appear that 2,292,189 Thingiverse records have been exposed, including people’s email addresses, passwords, full names, usernames, addresses, IP addresses, and birthdates. Thingiverse users are advised to change their passwords as well as the passwords of their other accounts that share the same email or password to avoid any further security issues.
Leaked data can be used by cybercriminals in many ways
- Identity theft.
- Targeted phishing attacks.
- Brute-force attacks to try and gain full access to online accounts.
- SIM swap attacks, which allow hackers to get around multi-factor authentication.
- Smishing attacks, which are used to trick victims into revealing additional personal information.
Is your email address pwned?
Find out if your email address appeared in any data leaks
Use Trend Micro ID Security to protect your online security and privacy
Here at Trend Micro, we’ve developed an app specifically designed to meet the challenges that data leaks bring.
Available on Android and iOS, ID Security scours the dark web for any mention of your data (email address, passwords, bank account information, and more) and in the event of it being sold or shared by cybercriminals, it will alert you. Its key features include:
- Dark Web Personal Data Manager: Scours the dark web for data such as bank account numbers, driver’s license numbers, passport numbers, and Social Security numbers.
- Credit Card Checker: Find out if someone has acquired your credit card number and put it on the dark web.
- Email Checker: Find out if any of your email addresses have been leaked on the dark web. You’ll be notified which exact account it is — so you can take the appropriate counter-measures.
- Password Checker: ID Security will notify you if you’re using a password currently in circulation on the dark web.
- Social Media Account Checker: Find out if your Facebook or Twitter accounts have been leaked and shared.
- A Comprehensive Monitoring Report
Click the button or scan the QR code below to try the free 30-day trial version today! If you found this article interesting and you think it would be useful for others, please share it with family and friends.
Report a Scam!
Have you fallen for a hoax, bought a fake product? Report the site and warn others!
Scam Categories
Help & Info
Top Safety Picks
Your Go-To Tools for Online SafetyDisclaimer: Some of the links here are affiliate links. If you click them and make a purchase, we may earn a commission at no extra cost to you.
- ScamAdviser App - iOS : Your personal scam detector, on the go! Check website safety, report scams, and get instant alerts. Available on iOS
- ScamAdviser App - Android : Your personal scam detector, on the go! Check website safety, report scams, and get instant alerts. Available on Android.
- NordVPN : NordVPN keeps your connection private and secure whether you are at home, traveling, or streaming from another country. It protects your data, blocks unwanted ads and trackers, and helps you access your paid subscriptions anywhere. Try it Today!
- Incogni : Incogni automatically removes your personal data from data brokers that trade in personal information online, helping reduce scam and identity theft risks without the hassle of manual opt-outs. Reclaim your privacy now!
Popular Stories
As the influence of the internet rises, so does the prevalence of online scams. There are fraudsters making all kinds of claims to trap victims online - from fake investment opportunities to online stores - and the internet allows them to operate from any part of the world with anonymity. The ability to spot online scams is an important skill to have as the virtual world is increasingly becoming a part of every facet of our lives. The below tips will help you identify the signs which can indicate that a website could be a scam. Common Sense: Too Good To Be True When looking for goods online, a great deal can be very enticing. A Gucci bag or a new iPhone for half the price? Who wouldn’t want to grab such a deal? Scammers know this too and try to take advantage of the fact. If an online deal looks too good to be true, think twice and double-check things. The easiest way to do this is to simply check out the same product at competing websites (that you trust). If the difference in prices is huge, it might be better to double-check the rest of the website. Check Out the Social Media Links Social media is a core part of ecommerce businesses these days and consumers often expect online shops to have a social media presence. Scammers know this and often insert logos of social media sites on their websites. Scratching beneath the surface often reveals this fu
How do I recover my crypto after it’s stolen? What happens if your crypto wallet is compromised? Can stolen crypto be traced, and can police actually recover crypto in 2026? These are the questions most people ask within minutes of realizing their wallet has been drained. Crypto theft is fast, quiet, and unforgiving. By the time most victims notice something is wrong, the funds are already moving across the blockchain. Once seen as a problem for exchanges and whales, crypto theft now heavily affects everyday investors. Phishing links, fake support chats, wallet approval scams, SIM swaps, and malware attacks have become common. Knowing what recovery realistically looks like—and what it doesn’t—can prevent panic, bad decisions, and costly follow-up scams. In a Nutshell Crypto recovery is possible, but only in limited situations Blockchain transactions are irreversible, but stolen crypto can still be traced Speed and documentation matter more than optimism Police and exchanges play a bigger role than private recovery services Guaranteed recovery offers are almost always scams Is it Actually Possible to Recover Stolen Crypto? Yes, crypto recovery is possible, but only under specific conditions and rarely through direct action by the victim. Blockchain transactions are final by design. Once crypto is sent and confirmed, it cannot be reversed. There is no central authority, no chargeback process, and no technical “undo” button, even if the transaction was clearly fraudulent. This is where many people ask whether stolen crypto can be traced. In most cases, it can. Every transaction