[BreachExchange] Several months after the fact, CafePress finally acknowledges huge data theft to its customers

Destry Winant destry at riskbasedsecurity.com
Tue Sep 24 09:53:53 EDT 2019


T-shirt flogger CafePress has finally informed its customers about a
serious data loss dating back to February and first reported last

Several CafePress punters told us they had received an email this
morning warning them the company had lost customer names, emails,
physical addresses, phone numbers and unencrypted passwords. Some
customers have also had the last four numbers of payment cards and
expiry dates nabbed by hackers.

The email, addressed to "Dear Valued Customer", says that the incident
happened "on or about February 19". But fear not: "We have been
diligently investigating this incident with the assistance of outside

The email claims that CafePress "recently discovered" the security
hole. But in early August, the company ran a mass-password reset
following reports that some 23 million user details were floating
around on hacker forums.

Security researcher Jim Scott told The Register at the time: "Out of
the 23 million compromised users, roughly half of them had their
passwords exposed encoded in base64 SHA-1." The hack was originally
spotted by Troy Hunt, operator of the Have I Been Pwned website.

Today's email says that an unidentified third party accessed a
CafePress database and customer data. They may also have had access to
CafePress accounts for a limited time and the information "could have
been used for fraudulent activity".

The company said it is working with US law enforcement and has
notified UK and European regulators. It has also shifted the database
and "taken various steps to further enhance the security of our
systems and your information".

CafePress claims to have informed regulators and includes links to
Experian, Transunion and Equifax for customers wanting to check their
credit rating.

The company has not responded to our questions, which include why
passwords were not properly encrypted and why it has taken so long to
warn customers.

One Reg reader sent us the following:

Pretty damn crappy, isn't it! I'm just so pissed off that yet another
company is keeping (and I guess they may just have worded their email
badly) passwords in plain text. Surely, by now, anyone building any
sort of site should know better. I've been building sites for far more
years than I care to think about, and have never needed to do that –
just an inherently stupid idea.

An ICO spokesperson said: "CafePress has made us aware of an incident
and we are making enquiries."

We will update this story if we get any response from CafePress. ®

More information about the BreachExchange mailing list