CafePress, the popular custom T-shirt and merchandise online retailer, has suffered from a data breach affecting 23 million accounts, cybersecurity researchers argued.
According to reports, the news about the breach broke out when infosec researcher Troy Hunt from Have I Been Pwned began sending notifications to affected customers on Monday, saying millions of peoples’ personal info were circulating on hacker forums. According to Hunt, the data was provided by an HIBP source, whom he attributed to JimScott.Sec@protonmail.com.
The data breach, which happened on February 20, had affected a total of 23, 205, 290 accounts, said HIBP. This exposes a broad range of customers’ details, including their full names, email addresses, passwords, home addresses, and contact numbers.
Despite the revelation, the breach hasn’t been confirmed yet as CafePress declined to comment on the issue. However, the online retail company has recently forced a password reset to its customers due to an update in the company’s “password policy.” This prompted users to change their passwords to a minimum of 8 characters and maximum o 128. The notification also requires customers to use at least 3 different character types, including numbers, symbols, uppercase, and lowercase.
In an interview with Forbes, Jim Scott, the cybersecurity researcher who had informed Troy Hunt about the breach, said that customers’ passwords have also been affected by the incident. “Out of the 23 million compromised users, roughly half of them had their passwords exposed encoded in base64 SHA1, which is a very weak encryption method to use especially in 2019 when better alternatives are available,” he explained.
The sec researcher also added that users who used CafePress via third-party applications, such as Facebook or Amazon, did not have their passwords compromised.
“It is very disappointing and frustrating to see when companies are unable to protect their users’ information when the necessary approach for better protection is available. And when an incident like this occurs, it is often the user who has to pay the price for other people’s mistakes,” he continued.
In mid-July, a similar data breach tracker called We Leak Info has also added the CafePress breach to its database. However, the action failed to attract much attention from the public.
“Whilst the breach occurred in February, sometimes there can be a lengthy lead time of months or even years before the data is disclosed publicly. Have I Been Pwned will always attempt to alert you ASAP, it’s just a question of how readily available the data is,” HIBP guaranteed.