ZDNet spotted a hacker group named ShinyHunters, who leaked the stolen database of Teespring in a dark web forum. This data was stolen earlier and has been sold last year in the same forum. The now leaked data contained sensitive data like the PII of millions of users, but not the passwords.
Teespring Stolen Records Leaked
Teespring is an e-commerce store maker, that lets creative users make custom apparel and sell it. It’s one of the most popular sits on the internet today, with millions of users making stores in it. From the Waydev hack that happened in past, Teespring was indirectly affected and now suffering.
A hacker group (or a person) named ShinyHunters has dumped the stolen database of Teespring in a dark web forum last Sunday. The leak was in the form of a zip file, that contained two databases. The first one contained over 8.2 million records of email addresses and when they were updated last time.
Whereas the second one contained PII of more than 4.6 million users. This includes the usernames, real names, home addresses, phone numbers, hashed email addresses, Facebook and OpenID identifiers of users. It’s glad that not all these records are available for all users, but some, based on the details provided by the users.
Also, there are no passwords in the leaked database. This doesn’t mean that they weren’t breached, as hackers may have decided not to dump them along. Though ShinyHunters leaked the data, the actual breacher could be someone else.
It’s reported that a breach incident that happened against Waydev in early 2020 is the root cause of this. Hackers in breach have stolen the OAuth tokens of all the companies stored by Waydev and used them for accessing the affected companies’ databases. GitHub and GitHub too were victims of this.
Teespring spokesperson said to ZDNet that they’re aware of the leak, and said that they were the victims of the Waydev incident since they shared the access OAuth tokens with them. Before leaking now, this database was sold commercially in the same forum and private Telegram channels in December 2020.