CafePress, a well-known custom T-Shirt and merchandise site, suffered a data breach that exposed the personal information of 23 million of their customers. Users became aware of the breach today, not through CafePress, but through notifications from Troy Hunt’s Have I Been Pwned service. The database contained a total 23,205,290 CafePress customer records, including email addresses, names, phone numbers, and physical addresses. About half the records also had encrypted passwords attached, with most of them hashed using an older form of encryption known as “base64 SHA1,” according to Forbes, that’s easily broken in 2019.
The worst problem, in this case, is not the breach, but the affected users who have not been informed. Legislation, including for example the European GDPR, was created to handle this specific problem – it is there to decrease the risk of exposing users private information, and most importantly it is there to ensure that if a company fails to protect users, they have the right to be informed and thereby take corrective actions. The bad habit of user password reuse means that while CafePress logins may be protected by the forced password reset, any re-use of passwords may lead to consequences for users. Sadly withholding this information is a very bad practice.