CafePress finally warns customers that it was hacked

Graham Cluley

CafePress finally confirms customers had their data breached

CafePress finally confirms customers had their data breached

Online merchandise retailer CafePress, used by millions of people to host an online store where they can sell custom-designed t-shirts, mugs, stickers, and more, has finally informed its customers that its systems were hacked and their personal details stolen.

23,205,290 unique email addresses are thought to have been stolen by hackers from CafePress’s systems alongside passwords weakly stored as base64 SHA-1 encoded hashes. Some of the stolen records came complete with names, home addresses, and phone numbers.

According to CafePress, “in a small number of cases” the last four digits of customers’ credit card numbers and credit card expiration dates have also been exposed.

Disturbingly, some users have claimed that their details have been leaked even though they deleted their accounts “a long time ago.”

CafePress’s breach notification, made via email to affected users, comes several months after the breach is believed to have taken place (February 2019), and a full month-and-a-half after CafePress forced users to change their passwords.

Cafepress email

At the time of the mandatory password reset back in August, CafePress said it was because of a policy update rather than because it suspected customers’ data had been stolen by hackers.

Change password

CafePress would like us to believe that it only “recently discovered” it had a security problem.

And yet a breach at CafePress was being openly discussed on Twitter as far back as July.

I’m pleased to see CafePress has now notified affected users via email about its data breach, but less than happy about how long it has taken. Sadly that’s an all too familiar story… been there, seen that, got the t-shirt.

For those interested, more information is available in a security notice on CafePress’s website.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

4 Replies to “CafePress finally warns customers that it was hacked”

  1. jfc, what took them so long. my mail was fraudulently forwarded to a lockbox in FL as a result. Figure they might owe me something. my bank told me i had been hacked but wouldn't say by who. guess i know now. 1k in merchandise. seriously messed up.

  2. Appalling that they dragged their feet on this notification. Since my only real recourse to show my displeasure is to not use their service that is what I intend to do.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Stay informed!

Join thousands of others by signing-up for the free “GCHQ” newsletter, containing the latest news and tips from security expert Graham Cluley.



Yes, I would like to subscribe to email updates from Graham Cluley. I know it’s easy to unsubscribe if I ever change my mind.