Online merchandise retailer CafePress, used by millions of people to host an online store where they can sell custom-designed t-shirts, mugs, stickers, and more, has finally informed its customers that its systems were hacked and their personal details stolen.
23,205,290 unique email addresses are thought to have been stolen by hackers from CafePress’s systems alongside passwords weakly stored as base64 SHA-1 encoded hashes. Some of the stolen records came complete with names, home addresses, and phone numbers.
According to CafePress, “in a small number of cases” the last four digits of customers’ credit card numbers and credit card expiration dates have also been exposed.
Disturbingly, some users have claimed that their details have been leaked even though they deleted their accounts “a long time ago.”
CafePress’s breach notification, made via email to affected users, comes several months after the breach is believed to have taken place (February 2019), and a full month-and-a-half after CafePress forced users to change their passwords.
At the time of the mandatory password reset back in August, CafePress said it was because of a policy update rather than because it suspected customers’ data had been stolen by hackers.
CafePress would like us to believe that it only “recently discovered” it had a security problem.
And yet a breach at CafePress was being openly discussed on Twitter as far back as July.
I’m pleased to see CafePress has now notified affected users via email about its data breach, but less than happy about how long it has taken. Sadly that’s an all too familiar story… been there, seen that, got the t-shirt.
For those interested, more information is available in a security notice on CafePress’s website.