A hacker has leaked the facts of tens of millions of consumers registered on Teespring, a web portal that lets consumers create and offer personalized-printed clothing.

The consumer details was leaked previous Sunday on a community discussion board devoted to cybercrime and the sale of stolen databases.

The Teespring knowledge was designed obtainable as a 7zip archive that consists of two SQL files. The initial file incorporates a list of additional than 8.2 million Teespring users’ e mail addresses and the day the e mail handle was previous up to date.

teespring-emails.png

Picture: ZDNet

The next file involves account particulars for far more than 4.6 million end users.

Details integrated in this second SQL file a hashed model of the electronic mail address, usernames, actual names, cellphone quantities, residence addresses, and Facebook and OpenID identifiers end users utilized to log into their accounts.

Other details connected to a user’s Teespring on-line account details is also bundled and is not considered to be sensitive.

The excellent news is that not all accounts have this facts loaded, which lowers how the breach affected each individual Teespring person to the quantity of granular information they provided to the firm. Secondly, password data was not included having said that, it is unclear if hackers obtained entry to passwords and just selected not to launch them.

teespring-users.png

Picture: ZDNet

The hacker who leaked the details goes by the title of ShinyHunters, a danger actor that has leaked billions of user documents from hundreds of organizations.

On the other hand, ShinyHunters is not thought to have been the individual who breached Teespring.

The company’s details was to begin with offered for sale on the identical forum and by using private Telegram channels in December 2020, prior to remaining leaked for totally free previous 7 days by ShinyHunters in a common practice exactly where info brokers sabotage each and every others’ profits.

A ask for for remark despatched to an electronic mail tackle formerly utilised by ShinyHunters also remained unanswered.

Teespring breach ocurred via Waydev app

A Teespring spokesperson explained to ZDNet the firm was informed of the breach, which it disclosed on December 1, 2020. The company mentioned the incident took location in June 2020 when a hacker managed to steal user knowledge from its cloud infrastructure.

“Teespring experienced previously evaluated a 3rd celebration company known as Waydev which needed obtain to some of our details. This access was carried out via a technology known as OAuth,” the company said.

“Unfortunately, Waydev retained the OAuth token for Teespring (and a number of other businesses) which was accessed from Waydev with out authorization by a 3rd get together. The token was then made use of to acquire entry to some of the Teespring infrastructure.”

The Waydev incident is very well regarded and was beforehand coated by ZDNet in July 2020.

Teespring, founded in 2011, is at the moment ranked as one particular of the most popular 1,500 sites on the online, on #1,410, according to the Alexa internet targeted traffic rating.

Up to date at 12:30pm ET with comment from Teespring.