Teespring, a Silicon Valley e-commerce site that lets people create and sell customized T-shirts, sweaters, and other apparel, is having a heck of a month.
Two weeks ago the company apologized to the Polish Auschwitz Memorial Holocaust museum after Internet sleuths discovered a Teespring user was selling “Camp Auschwitz” shirts identical to the now-infamous hoodie sported by a Virginia terrorist who stormed the U.S. Capitol on January 6.
Now a prolific hacker group called ShinyHunters has just leaked over 8 million user records from the company, dumping them onto a publicly accessible cybercrime forum called RaidForums. The data, which apparently came from a June Teespring hack, includes email addresses, “usernames, real names, phone numbers, home addresses, and Facebook and OpenID identifiers users used to log into their accounts,” but not email passwords. Gizmodo has independently verified these claims.
“The company’s data was initially offered for sale on the same forum and via private Telegram channels in December 2020, before being leaked for free last week by ShinyHunters in a common practice where data brokers sabotage each others’ sales.”
The company’s data appears to have actually been stolen via intrusions into a third-party contractor Waydev—a Github analytics provider that suffered a bad cyberattack last summer.
The threat actor responsible for this week’s leak—ShinyHunters—is quite prolific and leaks previously stolen lists in an effort to head off hackers who try to sell this data in DarkNet markets. The group went on a white-hot streak last year—WIRED called it a “data breach spree”—leaking ever-increasing hordes of compromised corporate records. It’s already off to a busy start this year, too: Before Teespring’s leak several days ago, the group was also responsible for posting some 1.9 million user records from the free photo editor application Pixlr.
By contrast, it’s been a very rough start to 2021 for Teespring, whose shirt controversy has been compounded by its recent data gush.
While it’s unclear where that original “Auschwitz” hoodie came from, an apparent wave of copy-cat shirts popped up on Teespring, as well as on sites like Etsy and TeeChip. The company ended up banning 26 users for attempting to sell the Nazi merchandise, and last week Teespring’s CEO also published an apology in which he explained that his company, which sees an average of 40,000 products created daily on its site, had “successfully flagged the [Auschwitz] design” within hours of it initially being listed. He called the content “truly abhorrent” and announced that the company had made a $10,000 donation to Auschwitz‑Birkenau Memorial and State Museum.
Yet this is not the first time Teespring has had these problems. Almost like an e-commerce version of Parler, the company’s lack of comprehensive oversight over the content on its site has frequently gotten it into hot water. Case in point: about a month ago, Jewish groups spoke out against the company after it was caught selling T-shirts that read “I Survived the Holocaugh,” a white supremacist joke about covid-19. It also sold shirts that lionized Dylann Roof, the Charleston church shooter. After being called out for incidents like this, the company has typically taken down or banned the merchandise from being sold.