Submitted via IRC for SoyCow7671
CafePress Data Breach Exposes Personal Info of 23 Million Users
CafePress, a well-known custom T-Shirt and merchandise site, suffered a data breach that exposed the personal information of 23 million of their customers.
Users became aware of the breach today, not through CafePress, but through notifications from Troy Hunt's Have I Been Pwned service.
After hearing about a CafePress data breach being circulated, Hunt solicited the help of security researcher Jim Scott who had helped him with other data breaches in the past, such as Evite.
"Security researcher Jim Scott is just fine. About 2 weeks ago I got notified by Troy that CafePress.com data breach was circulating and if I had seen it. At that time, the only public source of this data breach was from the data breach search engine WeLeakInfo and was not being sold as far as I know. With the help of my colleagues, I started to search for the database more thoroughly until I found it," Scott told BleepingComputer via email.
Research by BleepingComputer shows that a dehashed CafePress database of approximately 493,000 accounts was being sold on hacker forums. It is not known if this is related to the same breach.
According to HIBP, CafePress was hacked in February 2019 and exposed the personal information for 23,205,290 users. This exposed data includes Email addresses, Names, Passwords, Phone numbers, and Physical addresses.
(Score: 2) by DavePolaschek on Friday August 09 2019, @11:23AM
I just double-checked. I have a CafePress account, but the password was unique, so no worries on that front. And the credit card they had is one I cancelled almost a year ago due to another data breach, so clear on that front, too.
Mostly, I think the answer is to not create accounts with new companies. I’ll check out as guest, or run things through a more centralized payment service (PayPal | ApplePay | whatever). Course the flip side is that without an account, I won’t be notified of breaches, but then CafePress didn’t notify me anyhow.
Oh, and their password reset functionality isn’t working at the moment, anyhow.