Create-your-own merchandise website CafePress is paying $370,000 to customers who were harmed by its failure to protect their sensitive data, the U.S. Federal Trade Commission said Wednesday.
CafePress, a website where people can design and sell T-shirts, mugs and more, got hacked multiple times and stored customers' Social Security numbers and password reset answers in readable text for longer than necessary, the FTC said.
In 2019, hackers compromised 23 million accounts on CafePress.
The payments follow a March 2022 settlement resolving the FTC's allegations against CafePress, in which the federal agency also accused the website of covering up its data breaches, among other shady practices.
Who is getting the CafePress refunds?
The FTC said it is sending checks and PayPal payments to 20,044 customers who filed a claim before the deadline.
Victims of the CafePress hack should cash their check within 90 days or redeem their PayPal payment within 30 days.