CafePress Slammed After Major Breach Affecting 23 Million

Online merchandise store CafePress has been criticized for poor incident response and cybersecurity after it emerged that over 23 million customers had their personal data stolen.

Breach notification site HaveIBeenPwned? was apparently the first many customers heard about the incident, which it said occurred in February this year.

“The exposed data included 23 million unique email addresses with some records also containing names, physical addresses, phone numbers and passwords stored as SHA-1 hashes,” it said in a brief note. The site appears to have been notified about the incident by security researcher Jim Scott.

There doesn’t appear to be any kind of notification on the official CafePress website or Twitter feed.

In fact, according to some customers who logged in to their accounts, the firm is forcing users to change their credentials but merely as part of a claimed ‘update’ to its password policy.

Stuart Reed, VP cyber at UK firm Nominet, pointed to the fact that half of the passwords in the breach were encrypted with the weak SHA-1 algorithm.

“This puts those passwords and their owners at risk not only from these compromised records but also if the passwords have been reused elsewhere. Given that the passwords have potentially been out in the wild since February, security for those affected has potentially been compromised for the past six months,” he argued.

“It is fundamental that firms identify and take action against data breaches fast. Identifying large scale exfiltration attacks, stopping the attack and keeping those affected informed as quickly as possible is the only way to successfully mitigate the impact.”

Layered security is vital, covering people, process and technology, he added.  

“While two-factor authentication, not using the same passwords, and changing your passwords when a breach has happened are all good practice, there has to be more responsibility taken by breached organizations to prevent, detect and block attacks more quickly,” said Reed.

Martin Jartelius, CSO at Outpost24, argued that the firm could be in breach of GDPR rules if it has failed to respond in a timely manner and EU citizens are affected.

“It is there to decrease the risk of exposing users' private information, and most importantly it is there to ensure that if a company fails to protect users, they have the right to be informed and thereby take corrective actions,” he said.

“The bad habit of user password reuse means that while CafePress logins may be protected by the forced password reset, any re-use of passwords may lead to consequences for users. Sadly withholding this information is a very bad practice.”

What’s Hot on Infosecurity Magazine?