I just received this email from Spreadshirt, warning me of a possible breach to their system ( I think)
Thanks to our security monitoring measures, we have recently become aware of unauthorized attempts to access a number of Partner accounts. The attempts were aimed at extracting lists of addresses and passwords compromised on Spreadshirt’s online platform. Of course, we conducted a comprehensive and thorough review of partner data for any questionable activity once we had become aware of the activity.
It is likely that those affected by this attack typically use the same credentials (username and password) for their email accounts and other online services. We highly recommend securing your email account AND other online accounts by doing the following:
•Choose new passwords for your accounts, and be sure to use different passwords for your email accounts (gmail, Yahoo, etc.) and online accounts (Spreadshirt, ebay, Amazon, etc.). When choosing a password, we recommend using at least 6-8 characters. Use uppercase and lowercase letters, numbers (non-sequential) and at least one special character (*&^$#).
•Once you update your password, please log back into your account and check the accuracy of your payout details to ensure they weren’t changed by someone else.
If you were due to receive money, the missing amount will be processed with the next payout.
We appreciate your understanding, and we are more than happy to answer any questions or concerns you may have. Feel free to reach out to us at email@example.com.
Change password now
Your Spreadshirt Team
In my case I created a spreadshirt account several years ago, when I had a mug printed as a gift for somebody. I used the account once and never used it again. Obviously I used a single time password on the account that was never used anywhere else.
BUT we don’t actually know that there has been a breach or leakage of information. All we do know from the email is that there were attempts to gain entry to some accounts.
Sending emails like this to every account holder is counter productive and actually decreases security and increases the risk of phishing and identity theft.
If there is an actual breach, then inform the account holders individually who were breached. If there were only generalised attempts then say so & don’t send an email to every user. I have now deleted my account as I am unlikely to ever print another mug or tea-shirt.
Update 6 January 2017:
A revised email has just arrived
In an email sent yesterday (January 5th, 2017), there was a mistake due to a translation error. The correct information is as follows:
Fraudulent log in attempts to Spreadshirt Partner accounts have been made. The attacker(s) used lists of email addresses and passwords obtained from compromised online services and used them against Spreadshirt Partner accounts.
In order to secure your account, please change your password immediately, and check your payout information to ensure its accuracy.
We are sorry for any inconvenience. Spreadshirt has taken all necessary measures to protect Partner accounts. If you have any questions or concerns, do not hesitate to contact us at: firstname.lastname@example.org.
We apologise for the inaccuracy,
Your Spreadshirt Team