Spreadshop hacked. T-shirt lovers warned of “considerably vicious” data breach

“Hey there, don’t sweat but hackers have nabbed your data from our T-shirt store…”

Graham Cluley
@gcluley

Spreadshop hacked. T-shirt lovers warned of "considerably vicious" data breach

Clients of Spreadshirt, Spreadshop, and TeamShirts have been warned of a data breach which has seen the details of customers, partners, and employees fall into the lap of cybercriminals.

News of the breach first emerged on Thursday when customers were warned by email of a “security incident” involving an “unauthorised third party.” At the time, the print-on-demand T-shirt company said it was investigating what data might have been affected.

Today the company has confirmed that it had been targeted in an “organized cyber-attack,” described as being “carried out with considerably vicious criminal intent.”

Sign up to our newsletter
Security news, advice, and tips.

An email sent to users warned that postal addresses, bank account details and/or PayPal addresses, and password hashes saved before 2014 had been breached after the hackers managed to gain access to some of the company’s servers.

Hmmph. Nice of them to keep it friendly with the “Hey there”…

A security advisory published on the Spreadshirt website, offers some details of what types of data were accessed by the hackers, but does not give any figures for how many people may be affected:

Data affected includes address and contractual data belonging to customers, partners, employees and external suppliers. Also affected are the payment details of a small number of customers who made payments to Spreadshirt, Spreadshop or TeamShirts via bank transfer, or who have received a refund via bank transfer. According to the latest information from our investigations, the hacked servers did not contain the bank details of any other groups of customers.

Customers are being advised to change their passwords, and some tips are offered on the Spreadshirt website as to how to do this safely:

  • Choose as long a password as possible
  • Avoid using personal information, such as a birthday
  • Use a combination of numbers, symbols, and upper and lower case letters
  • Use a different password for each of your accounts
  • Change your password regularly

Hmm.. I’m not so sure about that last piece of advice. As I’ve described several times before, changing your password on a regular basis is not always a good recipe when it comes to security.

Yes, you should change your password if you have good reason to believe it may be weak or has been compromised (which seems plausible if you deal with one of Spreadshirt companies, or if you have bought a T-shirt from a website that embedded an online store powered by Spreadshop).

But don’t just change your passwords regularly unless you have good reason – as it may be that you will fall into the trap of choosing weaker and/or more predictable passwords as a result.

Yes, you should change your T-shirt every day, but not your password. Although today, maybe both would be a sensible choice.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.


Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

One comment on “Spreadshop hacked. T-shirt lovers warned of “considerably vicious” data breach”

  1. I'm glad I follow your RSS feed. I've brought three t-shirts from SpreadShirt but not heard anything from them!

    I always pay via PalPal when I can so have changed my PalPal password as a precaution (and I have 2FA on PayPal).

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.