CafePress Finally Fesses up to the Massive Data Breach

Many people now know that popular t-shirt and merchandise retailer CafePress suffered a major data breach back in early 2019. In July, the followers of a Twitter account going by the name We Leak Info learned about it, and a couple of weeks later, when security specialist Troy Hunt got his hands on the data, the news was spread much further.

As we mentioned at the time, the incident took place in February, and it was quite large, with around 23 million accounts affected. The leaked data included details like physical addresses too, and according to Troy Hunt, the passwords that were in the dump weren't very well protected. In light of all this, CafePress' behavior was positively strange.

There was no official statement, and although quite a few reporters tried to ask for a comment, the retailer remained tight-lipped. Some users said that they had been forced to change their passwords, but they were apparently told that the action was triggered by a new password policy, not a data breach.

Right now, more than a month and a half after Troy Hunt loaded the database in Have I Been Pwned, and just over seven months after the information was stolen, CafePress is finally publicly admitting that it has suffered a data breach.

CafePress customers start receiving data breach notifications over the emails

Last week, CafePress started sending out emails which informed "valued customers" of "a data security incident", which involved their personal information. The retailer apologized profusely about the leak and shed some more light on the matter. But was it enough?

According to screenshots shared on social media, users were told that personal information, including names, email addresses, and passwords, may have been involved. People were assured that the data has been moved to "a different environment", but were advised to change the password they were using for their CafePress account at any other online services where it may still be active. The email also stated that users should "remain vigilant" and watch out for any signs of identity theft.

Many people who received the notification weren't especially happy with it. Some of them were quite upset about the fact that their passwords have been stored in what appears to be a retrievable format (the notifications don't give details on the exact storage mechanisms). Others thought that this sort of messages shouldn't come from a "donotreply" address, and most were quite angry about the fact that the retailer is opening up about the breach more than half a year after it happened. There are a few things, however, which could put them in an even darker mood.

The details are still hard to find

Thanks to the power of the internet, we can learn that on September 4, about two weeks before the first data breach notifications started hitting people's inboxes, CafePress' lawyers sent a formal letter [PDF] to Iowa's Attorney General to publicly inform the institution of the breach. A day later, on September 5, the retailer published a page on its website that is dedicated to the incident. Versions for UK, Canadian, and Australian citizens are also available, but for reasons that are not particularly clear, finding them is not very easy. At the time of writing, this content doesn't seem to be available through CafePress' search engine, and as far as we can work out, it hasn't been shared with users in any way. The information in the letter to Iowa's Attorney General and the hard-to-locate webpage does give us more details on the whole data breach, though.

It gives us a breakdown of affected individuals' geographic location. Apparently, more than 22 million people were hit globally, including 450 thousand Australians, around 495 thousand Canadians, and a little over 1 million EU citizens (of whom 880 thousand live in the UK). In addition to names, email addresses, and passwords, the "unidentified third party" that breached CafePress' security managed to steal the last four digits and expiration dates of some credit cards as well as sensitive information like Social Security and Tax Identification numbers (including the equivalents in Canada, Australia, and the UK). Thankfully, only about 1% of all affected individuals had details like Social Security Numbers exposed, and they will all receive identity theft protection paid for by CafePress.

The letter to Iowa's Attorney General says that on August 6, CafePress "discovered" that its customers' personal data is "purportedly offered for sale and available on the dark web". The retailer's security people probably weren't too surprised by this "discovery", though, because according to the same document, on March 13, they dealt with a security vulnerability in the affected database. Back then, they found "no forensic evidence" to suggest that information had been stolen, but on April 15, 2019, they nevertheless forced a password reset for everyone trying to log into their account. Because of this, the document states that the "passwords that may have been obtained during this incident were therefore no longer effective as of April 15, 2019".

Even if we assume that this is the case, we can't ignore the fact that people reuse passwords all the time. We also can't ignore the fact that CafePress hasn't handled the issue in the most transparent possible way.