Garment decoration service provider Spreadshirt has confirmed that re-used credentials were used to access partner websites.
In an email alert shared with Infosecurity, Leipzig-based Spreadshirt said that it was able to detect the unauthorized access attempts on partner accounts which were aiming to extract lists of addresses and passwords from the company's online platform.
“We conducted a comprehensive and thorough review of partner data for any questionable activity once we had become aware of the activity,” the message read.
In a second email sent today (6 January), Spreadshirt confirmed that “fraudulent log-in attempts to Spreadshirt Partner accounts have been made. The attacker(s) used lists of email addresses and passwords obtained from compromised online services and used them against Spreadshirt Partner accounts.”
The company believed that the attack was facilitated by credential re-use, and has implemented a password reset. In a statement issued to Infosecurity, a company spokesperson said: “We took action immediately when we noticed the first fraudulent logins and asked the affected Partners to change their passwords and check their payout details.
“Because the attack is still ongoing and because not all partners changed their passwords we decided to reset them in all affected accounts yesterday, 5 January 5. All other Spreadshirt Partners received an email yesterday asking them to change their passwords and giving tips how a secure password should look like.”
Asked how it was able to detect the unauthorized access and in what time frame, the company said that it “reacted immediately and had taken all necessary measures to protect our Partner accounts”.
The spokesperson added that it “reacted immediately, re-set the passwords of affected partners and asked all others to set new passwords and check their accounts.”
“The attacker´s goal is to change the Paypal payout address for the commission payout in the Partner account and thus get the money. Spreadshirt partners have no financial damage. The commissions will be paid out with the next payout.” The company did not answer a question on how fast it was able to detect, or if any records were affected.
IT security consultant Tom Salmon, who alerted Infosecurity to the issue, said that this is quite a common attack vector, and he suspected that the access was detected due to decent monitoring.
“In this case, the compromise method was simple – the attackers used credentials previously stolen in other attacks to log in to Spreadshirt Partner accounts that had used the same username and password between multiple sites,” he said.
Salmon recommended monitoring publicly available databases of accounts known to have been compromised, and take steps to temporarily disable the user account until they have changed their password. Also, if they detect a high number of failed login attempts, followed shortly by a successful login, there is a high likelihood someone has guessed a password or tested a bulk list of accounts.
“If neither of these changes or indicators were actively monitored the final method of detection would be the affected users wondering why they were not paid. This would have triggered an investigation.”