On July 8th, 2021, popular merchandise shop platform, Spreadshop was the victim of a malicious cyber-attack. In an update posted to its website, the platform (powered by Spreadshirt) confirmed that personal user data, including bank account details, were compromised.
PrivacySharks reached out to Spreadshop for further details on the attack and received this statement from the press team about the breached data and who was affected:
“Data affected includes address and contractual data belonging to customers, partners, employees, and external suppliers. Also affected are the payment details of a small number of customers who made payments to Spreadshirt, Spreadshop, or TeamShirts via bank transfer or who have received a refund via bank transfer. According to the latest information from our investigations, the hacked servers did not contain the bank details of any other groups of customers.”
The above is shocking confirmation of just how big this breach is. Spreadshirt is now working alongside third-party companies to improve the company’s online security measures, and we’ll continue to update this story with any developments that come through.
Below, English and danish versions of the Spreadshop statement e-mail sent to all affected users.
Spreadshop attack: what happened?
Spreadshop alerted users via its website on July 8th 2021, that it had been the victim of “an organized cyber-attack which was carried out with considerably vicious criminal intent.” As of now, the perpetrators behind the attack are unknown but were clearly highly skilled as they were able to get past Spreadshop’s strong security measures.
Although the company was able to quickly protect stored data on its system, some information was breached, which is extremely worrying for Spreadshop users, customers, and partners. This data includes:
- Address data
- Password hashes saved before 2014
- Bank account details
- PayPal addresses
A message we viewed from Spreadshop sent to Danish users stated that hackers had accessed servers, the data stored on these servers and that there was potential it could be published. This also included data from Spreadshop partners. In the same email to Danish users, Spreadshop said: “We deeply regret that personal data has been accessed as a result of this cyber-attack.”
We asked the Spreadshirt press team how long it took the platform to notice the breach and were told, “Please understand that we are currently unable to comment on this.” Due to the nature of the breach, we assume that the company is unwilling to reveal how long it took them to respond to the attack for future security reasons.
Who was affected?
PrivacySharks asked Spreadshirt’s press team for explicit information on who was affected by the breach. We were informed that data relating to customers, partners, employees, and external suppliers were implicated in the attack.
When we asked for an approximate figure of how many accounts were implicated in the breach, Spreadshirt told us, “this is still being investigated in detail.” However, given that the attack has affected not just customers but other third parties, it’s possible that there is a long list of individuals whose personal data have been breached.
Since affected data includes address data, password hashes, bank account details and, PayPal addresses, this means many users could have had their information stolen, which is extremely worrying. The theft of this extremely sensitive data could result in cases of fraud or identity theft.
Moreover, the contact of ours who received the Danish email regarding the breach does not have a Spreadshop account. This supports Spreadshop’s statement to PrivacySharks which states that consumers who have made purchases to the site have been affected by the attack.
Spreadshop’s response to the breach
In Spreadshop’s statement released shortly after the discovery of the breach, the company stated that “We immediately took all necessary steps to protect all the data we hold and are currently working with external cyber-security specialists to systematically reconstruct the incident.”
The company is ensuring that a similar event does not take place in the future by upping its security and working with the necessary authorities to protect its servers. However, we do not know the details of the security measures being made and were told by the press team: “For investigative reasons, we cannot give further details on what new security measures will be implemented to prevent attacks like this from happening in the future.”
What should Spreadshop consumers do?
We asked Spreadshop what PrivacySharks’ readers should do if they have an account and were told, “we highly recommend them to change their passwords.”
If you have a Spreadshop account, then you should immediately change your password to a strong one with more than 15 characters that includes a combination of symbols, letters, and numbers.
Moreover, you should change your PayPal password and the passwords of any bank accounts that you have linked to your Spreadshop account.
#SpreadGroup was the target of an organized cyber-attack which was carried out with considerably vicious criminal intent. Our day-to-day operations have not been impacted by this incident. All news at: https://t.co/X7m1TDQRaD #spreadshirt #spreadshop pic.twitter.com/Sy4TAz3UX0
— Spread Group (@spread_group) July 12, 2021
What does this breach mean?
The number of online security breaches in the last year has shot up, and the Spreadshop incident is the latest indication that cyber-attacks are not going to disappear any time soon.
The fact that sensitive information like banking details could be easily stolen and exploited is terrible news for both online businesses and consumers. Online businesses that fall victim to breaches risk losing trust from customers and will need to increase expenditure to implement better security measures.
Moreover, customers are being put at risk of identity theft, fraud, phishing scams, and brute force attacks as their data becomes the target of many hacks.
For now, all we can recommend is that users change passwords regularly and use strong, unique passwords for every online account.