Cyber Incident Victim: Spread Group

The Spread Group, encompassing Spreadshirt, Spreadshop, and TeamShirts, experienced a significant cybersecurity incident first disclosed to customers via email on July 8, 2021. The initial notification described a "security incident" involving unauthorized third-party access to company systems, prompting an ongoing investigation into the scope of compromised data. By July 12, 2021, the company confirmed the event as an "organized cyber-attack" characterized by "considerably vicious criminal intent," affecting customers, partners, and employees across its brands. Attackers breached certain company servers, though the specific intrusion methods or initial attack vectors were not detailed in public communications. The incident timeline indicates detection occurred shortly before the July 8 notification, with forensic analysis continuing through the subsequent days to determine data exposure.

Compromised information included postal addresses, bank account details, PayPal addresses, and password hashes for accounts created before 2014. The company explicitly advised affected individuals to change their account passwords, publishing guidelines recommending long passwords with character variety, avoidance of personal information, unique credentials per account, and regular password changes. This guidance appeared on the Spreadshirt website alongside breach notifications. The disclosure acknowledged potential risks to customers of third-party websites using Spreadshop's e-commerce platform. No ransomware involvement or explicit financial demands were mentioned in the available reporting. Containment measures focused on securing breached systems, though technical specifics regarding server lockdowns or access revocation were not publicly elaborated. The incident exposed legacy security risks through the compromise of older password hashes, while more recent authentication data remained unaffected according to the company's statements.