Cyber Incident Victim: Teespring

In June 2020, a hacker gained unauthorized access to Teespring's cloud infrastructure, compromising user data through a third-party service. The breach originated from Waydev, a software analytics provider that had previously integrated with Teespring using OAuth authentication. Waydev retained an active OAuth token that enabled access to Teespring's systems, which was subsequently stolen by an unauthorized third party. This token allowed the attacker to extract sensitive user information stored in Teespring's databases. The company became aware of the intrusion and publicly disclosed the breach on December 1, 2020, confirming the incident occurred approximately six months prior.

The stolen data appeared for sale on cybercrime forums and private Telegram channels in December 2020 before being leaked publicly in January 2021 by the threat actor ShinyHunters. The leaked dataset consisted of two SQL files archived in a 7zip format, containing information on over 8.2 million users' email addresses with last-updated timestamps and detailed records for 4.6 million accounts. These records included hashed email addresses, usernames, real names, phone numbers, physical addresses, and social media login identifiers (Facebook/OpenID). ShinyHunters, known for leaking billions of records from multiple companies, distributed the data freely on a cybercrime forum as part of competitive sabotage against other data brokers. Teespring confirmed the breach stemmed specifically from the compromised Waydev token and emphasized that no financial data was exposed. The platform, ranked among the top 1,500 websites globally at the time, faced significant reputational impact from the exposure of millions of user records through this supply-chain attack vector.