Teespring is a popular destination on the web that allows users to create and sell custom-printed apparel, including, as the name implies, custom-designed tee-shirts.
If you use the site, you should know that recently, an as yet unknown third party successfully breached the site and made off with a couple of the company’s databases.
These have been made available on the web, exposing some user information belonging to more than 8 million of the company’s users.
The two SQL files were compressed as a 7Zip archive, with the first containing user email addresses and the dates that the email addresses were last updated. The second SQL file contains the account details of more than four and a half million users, and includes OpenID and Facebook account information (if those were used in the creation of the Teespring account), the user’s home address, name, and phone numbers. That is all in addition to other, mostly non-sensitive details contained in the users’ profiles.
If there’s a silver lining to be found regarding the incident, it lies in the fact that no password data appears to have been present in either file, which dramatically reduces the risks associated with the stolen data. Nonetheless, there’s enough there that it would certainly be possible for hackers to mesh it with information from other sources to steal someone’s identity. It should be noted, however, that it is possible that additional databases could have been stolen, and these could easily have contained passwords that the hackers simply opted not to publish.
In any case, the company made a formal disclosure about the incident, revealing that their investigation to this point indicates that the incident occurred in June, 2020.
The company’s statement reads, in part, as follows:
“Teespring had previously evaluated a 3rd party service called Waydev which required access to some of our data. This access was implemented via a technology called OAuth.Unfortunately, Waydev retained the OAuth token for Teespring (and several other companies) which was accessed from Waydev without authorization by a third party. The token was then used to gain access to some of the Teespring infrastructure.”
If you’re a Teespring user, be aware that some of your data may have been compromised, and be on the alert for suspicious emails hitting your inbox.