Clients of Spreadshirt, Spreadshop, and TeamShirts have been warned of a data breach which has seen the details of customers, partners, and employees fall into the lap of cybercriminals.
News of the breach first emerged on Thursday when customers were warned by email of a “security incident” involving an “unauthorised third party.” At the time, the print-on-demand T-shirt company said it was investigating what data might have been affected.
Today the company has confirmed that it had been targeted in an “organized cyber-attack,” described as being “carried out with considerably vicious criminal intent.”
An email sent to users warned that postal addresses, bank account details and/or PayPal addresses, and password hashes saved before 2014 had been breached after the hackers managed to gain access to some of the company’s servers.
Hmmph. Nice of them to keep it friendly with the “Hey there”…
A security advisory published on the Spreadshirt website, offers some details of what types of data were accessed by the hackers, but does not give any figures for how many people may be affected:
Data affected includes address and contractual data belonging to customers, partners, employees and external suppliers. Also affected are the payment details of a small number of customers who made payments to Spreadshirt, Spreadshop or TeamShirts via bank transfer, or who have received a refund via bank transfer. According to the latest information from our investigations, the hacked servers did not contain the bank details of any other groups of customers.
Customers are being advised to change their passwords, and some tips are offered on the Spreadshirt website as to how to do this safely:
- Choose as long a password as possible
- Avoid using personal information, such as a birthday
- Use a combination of numbers, symbols, and upper and lower case letters
- Use a different password for each of your accounts
- Change your password regularly
Hmm.. I’m not so sure about that last piece of advice. As I’ve described several times before, changing your password on a regular basis is not always a good recipe when it comes to security.
Yes, you should change your password if you have good reason to believe it may be weak or has been compromised (which seems plausible if you deal with one of Spreadshirt companies, or if you have bought a T-shirt from a website that embedded an online store powered by Spreadshop).
But don’t just change your passwords regularly unless you have good reason – as it may be that you will fall into the trap of choosing weaker and/or more predictable passwords as a result.
Yes, you should change your T-shirt every day, but not your password. Although today, maybe both would be a sensible choice.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.