Image courtesy: cybernews.com
On Teespring (now called Spring), a web platform that allows users to design and sell custom-printed clothing, a hacker stole the personal information of millions of users. The user information was leaked as early as April 2021, on a public forum dedicated to cybercrime and the sale of stolen databases.
Teespring stated that it was aware of the breach, which it announced on December 1, 2020.
The official site of Teespring ( https://community.teespring.com/blog/security-incident-june-2020/ ) states the incident occurred in June 2020, when a hacker stole user data from its cloud infrastructure. But the users registered at “Have I Been Pwned” are being notified now on an official basis about this incident stating whether there information was the one to be compromised, the date of attack as mentioned there, goes back to as early as April 2020.
The Teespring data was made available in the form of a 7zip archive containing two SQL files.
The first file contains a list of over 8.2 million Teespring user email addresses, as well as the date the email address was last updated. Other information about a user’s Teespring Online account is included, but it is not considered sensitive. The good news is that not all accounts have this information filled out, so the number of granular details provided by Teespring users can be used to deter scammers.
Second, passwords were not released; however, it is unclear whether hackers had access to passwords and chose not to release them. ShinyHunters, a threat actor who has leaked billions of user records from hundreds of computers, is the hacker who leaked the data.
The company’s data was initially offered for sale on the same forum and private Telegram channels in December 2020 before being leaked for free by ShinyHunters in a common scheme in which data brokers attempt to shut down each other’s sales.