Last week it was reported in Infosecurity Magazine that garment decoration service provider Spreadshirt had confirmed a breach of security on its partner websites.
In an email alert sent to partners on January 5, Spreadshirt said that it was able to detect the unauthorised access attempts on partner accounts, the aim of which was to extract lists of addresses and passwords from the company’s online platform.
The message read: “We conducted a comprehensive and thorough review of partner data for any questionable activity once we had become aware of the activity.”
In a second email sent on January 6, Spreadshirt confirmed that “fraudulent log-in attempts to Spreadshirt Partner accounts have been made. The attacker(s) used lists of email addresses and passwords obtained from compromised online services and used them against Spreadshirt Partner accounts.”
The company believed that the attack was facilitated by credential re-use, and has implemented a password reset. In a statement issued to Infosecurity, a company spokesperson said: “We took action immediately when we noticed the first fraudulent logins and asked the affected Partners to change their passwords and check their payout details.
“Because the attack is still ongoing and because not all partners changed their passwords we decided to reset them in all affected accounts on January 5. All other Spreadshirt Partners received an email asking them to change their passwords and giving tips how a secure password should look like.”
The spokesman added: “The attacker’s goal is to change the Paypal payout address for the commission payout in the Partner account and thus get the money. Spreadshirt partners have no financial damage. The commissions will be paid out with the next payout.”
IT security consultant Tom Salmon, who alerted Infosecurity to the attack, said that this is quite a common attack vector, and he suspected that the access was detected due to decent monitoring.
He explained: “In this case, the compromise method was simple – the attackers used credentials previously stolen in other attacks to log in to Spreadshirt Partner accounts that had used the same username and password between multiple site.”