To the TurboSquid Community:
We are sharing information about a security breach. TurboSquid has been watching and implementing measures to contain a person who we believe accessed FallingPixel.com’s encrypted member password records. For background, FallingPixel is a 3D model marketplace that TurboSquid acquired in 2011. For each password that the intruder then cracked, the intruder was able to access the corresponding FallingPixel account, and by using common passwords that some users had between their FallingPixel and TurboSquid accounts, the intruder was able to access 0.04% of all TurboSquid accounts, which includes 237 artist accounts.
TurboSquid is accountable for this and we deeply regret the incident, and apologize to you, and our community for it happening and for not containing it sooner. While TurboSquid itself was not breached, FallingPixel was breached, and after discovery, FallingPixel.com was immediately taken offline, permanently. That was part of a number of changes to our technical infrastructure to prevent further incidents that I will detail shortly.
If you used your FallingPixel password on any other website, we recommend changing it to avoid potential risks.
All indications are that the intruder is an artist from the community. This person accessed the FallingPixel password data, and then began to slowly login to accounts using passwords that he was able to crack. The passwords on FallingPixel were encrypted using a weaker algorithm (MD5) than is used on TurboSquid, and were encrypted without using a “salt”. Because of the weaker algorithm it was possible to compromise passwords using techniques outlined in this article by arstechnica.
From that point in 2012, the intruder used passwords that were in common between FallingPixel and TurboSquid to surreptitiously log in to TurboSquid and download product files from artist accounts, sales data, and payment information; and also to log into customer accounts to download product files from previous customer purchases. No credit cards were exposed in the intrusion.
We have sent a disclosure email to all FallingPixel users. FallingPixel was already in the process of being decommissioned, and after discovery of the breach, all servers have been permanently shut down to avoid any further risk of data breach.
In the coming days, TurboSquid will make full individual disclosures to all impacted TurboSquid users about what was accessed in their individual cases. All potentially impacted users have also been notified.
We believe we know the identity of the intruder and are in the process of working with law enforcement on this matter.
Security actions taken since discovery include:
- Shutting down FallingPixel.com
- Expiring all passwords from any user account that had been on FallingPixel, regardless of whether or not the accounts were accessed or the passwords were in common
- Increasing password complexity requirements on TurboSquid for new users, including all users that had accounts on FallingPixel
- Creating notification emails for a change of email address or payment info
- Adding restrictions to artist downloads of their own products in certain cases
- Implementing internal detection methods for similar breaches (no others were found)
In the future, additional methods will be released such as Multi-factor authentication and several other notifications and security authorizations for users to be aware of account accesses.
Once again we are sorry for this security breach, and are making every effort to share the relevant facts to all impacted parties.
CEO | TurboSquid