BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

CafePress Hacked, 23M Accounts Compromised. Is Yours One Of Them?

Following
This article is more than 4 years old.

CafePress, the custom T-shirt and merchandise company, acquired by Snapfish for more than $25 million (£20 million) in November 2018, has been hacked. According to various reports, the breach that compromised more than 23 million accounts happened on February 20. Is yours one of them?

What is known about the CafePress breach?

Truth be told, very little at this stage. Like most people waking up this morning to an email from the haveibeenpwned (HIBP) breach database service, this was the first I had heard of it. Although a little digging has revealed that another similar organization by the name of We Leak Info added the CafePress breach to its database on July 13. This latter disclosure appears to have flown mostly under the radar, with just a Twitter posting and a brief mention on the "pwned" subreddit group which has only really kicked into life today as the HIBP emails went out.

According to that HIBP notification, the breach itself took place on Feb 20 and compromised a total of 23,205,290 accounts. The data was provided to Troy Hunt at HIBP from a source attributed as JimScott.Sec@protonmail.com.

The HIBP notification stated that the exposed data included 23 million unique email addresses; some of the compromised records also included names, physical addresses and phone numbers. However, since then, Jim Scott, the cybersecurity researcher who supplied the breach data, has been in touch with me again to add that passwords were also amongst the compromised data.

“It came to my attention that Troy forgot to add that passwords were also affected in this security incident,” Scotts says, continuing “out of the 23 million compromised users, roughly half of them had their passwords exposed encoded in base64 SHA1, which is a very weak encryption method to use especially in 2019 when better alternatives are available.” According to information supplied by Scott, the remaining users who used CafePress through third-party applications such as Facebook or Amazon did not have their passwords compromised.

Having spoken to Troy Hunt this afternoon, it would appear that the passwords in question are base64 encoded tokens, rather than user-chosen passwords, and there’s a lot of repetition. However, Hunt says that Scott has contacted him “to say there are SHA1 hashes too, but I haven’t seen them.” Hunt is currently drilling further into the data, and I will be sure to update the story here as soon as any more is known.

"About two weeks ago I got notified by Troy that CafePress.com data breach was circulating and if I had seen it,” Scott tells me during an email exchange this morning, “with the help of my colleagues, I started to search for the database until I found it.”

Why has it taken so long to find out about the CafePress breach?

Good question. An equally good one might be "why have I heard about this breach from HIBP and not CafePress itself?" of course. According to the Mozilla Firefox Monitor service, "It can sometimes take months or years for credentials exposed in a data breach to appear on the dark web. Breaches get added to our database as soon as they have been discovered and verified."

Jim Scott says that it isn’t that surprising that, as of now, there is still no public disclosure from CafePress of the incident as “a majority of data breaches often go undetected.”

“With the help of Troy,” Scott concludes “by adding this data to HaveIBeenPwned, I hope that more people become aware of their compromised credentials and take the necessary steps to safeguard their information."

HIBP confirmed: "Whilst the breach occurred in February, sometimes there can be a lengthy lead time of months or even years before the data is disclosed publicly. Have I Been Pwned will always attempt to alert you ASAP, it's just a question of how readily available the data is?”

There have been no notification emails from CafePress as far as I can ascertain. I've positively not received one to either of the two addresses flagged by HIBP.

Interestingly, I tried to log in with both those addresses only to be told that no account exists for either of them. Others have reported the same, while some in that same subreddit thread have said they were asked to reset their password when attempting to log in.

How can you find out if your email address was included?

Thankfully, that's a much simpler one to answer: browse over to the HIBP website and enter any email addresses you want to check. The database will quickly return information on any breaches that your details were found in, including the CafePress one.

What more can be done to prevent these "mega" breaches?

"I just don’t even know if it’s even possible to safeguard data online anymore," Ian Thornton-Trump, the head of cybersecurity for Amtrust International, says, "I think we need strong data retention and data expiration so consumers can decide how long their data is held and what data fields are retained."

Thornton-Trump confesses during our conversation that this would, of course, upset the consumer analysis and data science analytical industry as those services are built on the analysis of massive data sets. "So it appears that there is no end in sight and all organizations can do is regularly test their defenses and make incremental improvements to security as well as upgrading applications and their libraries to the latest secure versions," Thornton-Trump concedes.

What should you do now?

Penetration tester Andy Gill says that one reason, in this "another day another breach" age, it may have taken so long to come to light is that the data hasn't been attributed yet. Whatever the reason, his advice for the concerned public remains to use reasonable security practices such as "educating themselves about multi-factor authentication, using password managers to generate a password per site and even having a different email per site."

The latter can be achieved quickly enough using Gmail with a "+" (janedoe+cafepress@gmail for example) so that, Gill advises, "if your credentials are used out of turn you'll know where the account originated."

What does CafePress have to say?

A CafePress spokesperson says that "CafePress Inc. learned of a potential security issue related to customer accounts. We have engaged third-party experts and are investigating the issue. Our commitment to maintaining the confidentiality of our customers' information is paramount to the employees and leadership of CafePress."

Updated August 5, 2019: Comments from Jim Scott, the researcher who was credited by HIBP as the source of the breach information, have been added.

Updated August 5, 2019: Further information from Jim Scott regarding the data that was compromised added.

Updated August 5, 2019: Comment from Troy Hunt, founder of Have I Been Pwned, regarding the latest news of passwords within the compromised data.

Updated August 7, 2019: A statement from a CafePress spokesperson has been added.

Follow me on Twitter or LinkedInCheck out my website or some of my other work here