CafePress.com, an American e-commerce platform, turns out to be another victim of a cyber attack. Although the store hasn’t revealed anything officially. The news surfaced online suggesting a hacking attack happened earlier this year. It turns out that the site CafePress.com suffered a data breach impacting 23 million accounts.
CafePress.com Faced Data Breach
According to Troy Hunt and his ‘Have I Been Pwned’ website, the American merchandise site CafePress.com suffered a data breach this year. The service was hacked back in February 2019, where the attackers managed to access 23 million records.
As revealed, the breach affected 23,205,290 accounts exposing the personal details of users. Specifically, it included names, email addresses, SHA-1 hashed passwords, physical addresses, and phone numbers of the users.
Though the incident happened on February 20, 2019, it largely remained undisclosed. Then, security researcher Jim Scott spotted the data. According to his statement to Forbes,
About two weeks ago I got notified by Troy that CafePress.com data breach was circulating and if I had seen it… With the help of my colleagues, I started to search for the database until I found it.
In the previous month, another website similar to HIBP revealed the incident in a tweet.
New Data Breach Alert!
Site: Cafepress
Date: 02/2019
Records: 23,321,980
Status: Undisclosed
Info: Email, First Name, Last Name, HashSee if your information was leaked for free at (link: https://t.co/Il5zj4Bl4h) https://t.co/3ev8DRCmZ6#weleakinfo #infosec #databreach #OSINT
— We Leak Info (@weleakinfo) July 14, 2019
However, it got little focus. Hence, the customers had no idea of the breach until HIBP sent email notifications to the users.
Customer’s Passwords Reset After ‘Updating Password Policy’
Despite facing the attack, the site did not precisely inform its customers. Rather it simply asked the users to update their passwords, giving a weird justification.
According to the email shared by a Darren Pauli,
Pretty disingenuous of CafePress to mask a data breach of names, mobiles, and street addresses under a password policy update. pic.twitter.com/t7RUt6pRKH
— darren (@darrenpauli) August 5, 2019
This email has no mention of a security issue or a breach. Clearly, the vendors seemed to keep the matter hidden for some undetermined reason. Pauli told The Register,
I went to log into CafePress to see if they had my current street address and it threw that ‘change password’ page. No sign anywhere on the homepage or login of the breach – which Hunt puts as February this year – and no email in my inbox from them to notify me.
Anyhow, users of CafePress.com can check their accounts’ status for pwnage via the HaveIBeenPwned website.
Recently, another e-commerce platform, StockX, also behaved in a similar way. It first reset customers’ passwords, only to confirm later about a breach impacting 6 million records.
Let us know your thoughts in the comments.