23 Million Accounts Have Been Compromised in a CafePress Data Breach
CafePress is an online retailer that sells everything from stationery, through bedding, to hoodies with all sorts of exciting designs. It's been in the business for close to twenty years now, but at the moment it's in a bit of a pickle. Not that you can tell, mind you.
Visit any of CafePress' social media feeds, and you'll be left thinking that all is well. The online shop's homepage also doesn't suggest that there's been a major cybersecurity incident. Unfortunately, this is exactly what has happened, and it has affected no fewer than 23 million users.
Hackers stole more than 23 million CafePress records back in February
A breach reporting service by the name of We Leak Info first broke the news on July 14, when it said that it has found a database containing the records of more than 23.3 million CafePress users. According to We Leak Info, the information it found was stolen in February, and it included names, emails, and password hashes. Despite the significant number of affected individuals, nobody paid any attention to We Leak Info's breach alert. When Troy Hunt got his hands on the data, however, things changed dramatically.
Hunt recently received what appears to be compromised CafePress information from a person who prefers to be known by his email address – JimScott.Sec@protonmail.com. On August 5, Hunt loaded it into his Have I Been Pwned service, and he started sending out notifications to the victims who had subscribed to his alerts. At first, it looked like the data he had differed from the one We Leak Info had reported on. Hunt initially said that the database doesn't hold any password hashes, but he later updated the description when he found out that some hashed and encoded passwords were indeed part of the stolen information. According to the Australian cybersecurity guru, however, the dump also contains phone numbers and physical addresses.
CafePress acts as if nothing has happened
People who received Troy Hunt's notifications took to social media to try and work out what's going on, and soon enough, outlets like Forbes and The Register were all over the story. Predictably, reporters tried to get in touch with CafePress and find out more about the breach, but they received no response.
More than 24 hours after Troy Hunt's first alerts started flying around, the company continues to remain silent. CafePress hasn't issued an official statement, its Facebook page continues to promote new products and sales, and on Twitter, the retailer has replied to just one of the many questions upset customers are asking.
The retailer hasn't completely ignored the breach and has initiated a password reset campaign for what appears to be all its users. The thing is, the wording in the notifications seems to be deliberately designed to steer people's attention away from the data breach. As tech journalist Darren Pauli reported, the email states that the reason for the password change lies with an updated password policy. February's data breach doesn't get as much as a mention.
This type of head-in-the-sand behavior really isn't doing CafePress' credibility any favors. You could argue that it's already too late, but if they want to look even remotely interested in people's privacy, the least the management team could do is publicly announce that their systems have been breached and that they are trying to prevent this sort of thing from happening again in the future. Given the circumstances, it's the only right course of action.