CafePress Suffers Data Breach Impacting Over 22 Million Customers

CafePress, a well-known custom T-Shirt and merchandise site, suffered a data breach that exposed the personal information of 23 million of their customers. Users became aware of the breach today, not through CafePress, but through notifications from Troy Hunt’s Have I Been Pwned service. The database contained a total 23,205,290 CafePress customer records, including email addresses, names, phone numbers, and physical addresses. About half the records also had encrypted passwords attached, with most of them hashed using an older form of encryption known as “base64 SHA1,” according to Forbes, that’s easily broken in 2019.

Subscribe
Notify of
guest

1 Expert Comment
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Martin Jartelius
Martin Jartelius , CSO
InfoSec Expert
August 7, 2019 10:32 am

The worst problem, in this case, is not the breach, but the affected users who have not been informed. Legislation, including for example the European GDPR, was created to handle this specific problem – it is there to decrease the risk of exposing users private information, and most importantly it is there to ensure that if a company fails to protect users, they have the right to be informed and thereby take corrective actions. The bad habit of user password reuse means that while CafePress logins may be protected by the forced password reset, any re-use of passwords may lead to consequences for users. Sadly withholding this information is a very bad practice.

Last edited 3 years ago by Martin Jartelius
Information Security Buzz
1
0
Would love your thoughts, please comment.x
()
x