Stories
Slash Boxes
Comments

SoylentNews is people

CafePress Data Breach Exposes Personal Info of 23 Million Users

posted by Fnord666 on Friday August 09 2019, @02:37AM   Printer-friendly
from the another-day-another-breach dept.

"upstart" writes:

Submitted via IRC for SoyCow7671

CafePress Data Breach Exposes Personal Info of 23 Million Users

CafePress, a well-known custom T-Shirt and merchandise site, suffered a data breach that exposed the personal information of 23 million of their customers.

Users became aware of the breach today, not through CafePress, but through notifications from Troy Hunt's Have I Been Pwned service. 

After hearing about a CafePress data breach being circulated, Hunt solicited the help of security researcher Jim Scott who had helped him with other data breaches in the past, such as Evite.

"Security researcher Jim Scott is just fine. About 2 weeks ago I got notified by Troy that CafePress.com data breach was circulating and if I had seen it. At that time, the only public source of this data breach was from the data breach search engine WeLeakInfo and was not being sold as far as I know. With the help of my colleagues, I started to search for the database more thoroughly until I found it," Scott told BleepingComputer via email.

Research by BleepingComputer shows that a dehashed CafePress database of approximately 493,000 accounts was being sold on  hacker forums. It is not known if this is related to the same breach.

According to HIBP, CafePress was hacked in February 2019 and exposed the personal information for 23,205,290 users. This exposed data includes Email addresses, Names, Passwords, Phone numbers, and Physical addresses.

Original Submission

 
This discussion has been archived. No new comments can be posted.
CafePress Data Breach Exposes Personal Info of 23 Million Users | Log In/Create an Account | Top | 9 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by DavePolaschek on Friday August 09 2019, @11:23AM

    by DavePolaschek (6129) on Friday August 09 2019, @11:23AM (#877845) Homepage Journal

    I just double-checked. I have a CafePress account, but the password was unique, so no worries on that front. And the credit card they had is one I cancelled almost a year ago due to another data breach, so clear on that front, too.

    Mostly, I think the answer is to not create accounts with new companies. I’ll check out as guest, or run things through a more centralized payment service (PayPal | ApplePay | whatever). Course the flip side is that without an account, I won’t be notified of breaches, but then CafePress didn’t notify me anyhow.

    Oh, and their password reset functionality isn’t working at the moment, anyhow.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2