The below information outlines details of a security incident that occurred in June 2020 in which some non-sensitive user information was obtained by an unauthorized third party. Teespring respects all of our users’ rights and privacy, the below details are provided to promote the continued protection of your personal information.
On July 8th, Teespring detected that the names and email addresses of some of its users had been acquired without authorization from our cloud infrastructure environment. The incident affected a number of other companies at the same time.
How was the information obtained?
Teespring had previously evaluated a 3rd party service called Waydev which required access to some of our data. This access was implemented via a technology called OAuth.
Unfortunately, Waydev retained the OAuth token for Teespring (and several other companies) which was accessed from Waydev without authorization by a third party. The token was then used to gain access to some of the Teespring infrastructure.
What information was obtained?
Some names, emails and postal addresses. NO passwords, financial, tax, or other sensitive information was exposed in the incident.
What action was taken?
We immediately blocked the unauthorized access and secured our infrastructure. We launched an investigation with the help of cybersecurity experts to assess what information might have been affected.
What follow up actions will happen?
We will continue promoting standard security best practices such as strong, regularly changing passwords and 2-factor authentication. Because password information was not exposed, and because of the “security in depth” of our platform, these are preventative measures.
What can you do to further protect your security?
Out of an abundance of caution, we will prompt a few of our users (who haven’t changed their password in a long time) to reset their password in the coming days. Teespring also supports multi-factor authentication using a virtual device like the Google Authenticator on your smartphone. We also recommend standard online safety best practices such as:
- Use a password manager (such as 1Password or KeePassXC)
- Never re-use passwords between different web sites
- Do not save passwords in web browsers on shared computers
- Never give your password to anyone