CafePress reportedly caught up in breach affecting 23m customers

8 Aug 2019

Image: © ilkercelik/Stock.adobe.com

US online retailer CafePress faced harsh criticism over privacy missteps that may have exposed customer data.

Online retailer CafePress, which specialises in custom T-shirts and merchandise, is reported to have suffered a data breach in February 2019 that exposed sensitive information of more than 23m customers, including user passwords.

Troy Hunt, the operator of hack-tracking website Have I Been Pwned, first heard in mid-July that hacked details such as email addresses, physical addresses, names, phone numbers and more were circulating around forums online. The service subsequently sent out an email to its users informing them of the breach, which is how many came to learn of the event.

Critically, researchers said that many of the exposed passwords were encoded in base64 SHA1 – a particularly weak encryption network that security experts have decried as an outdated method.

Users who accessed CafePress through third-party applications such as Facebook and Amazon, however, did not have their passwords compromised.

CafePress has yet to make an official announcement in response to the revelations and so the breach remains unverified. However, reports have emerged that users were asked to reset their passwords when logging in, ostensibly due to an update to the company’s password policy.

In other data security news, reports emerged this week that UK challenger bank Monzo discovered almost 500,000 PINs had been stored for nearly six months in a part of the company’s internal system that employees had access to.

Meanwhile, it was reported that Honda stored 40GB of highly sensitive company data on an unsecured Elasticsearch database. It revealed information such as the company’s security systems and networks, technical data on its IP addresses and operating systems, and what patches they had.

It essentially provided the blueprints to would-be threat actors to launch a massive cyberattack, leading for the incident to be dubbed a “hacker’s dream”.

Eva Short was a journalist at Silicon Republic

editorial@siliconrepublic.com