What makes this situation worse, at least for the consumer, is that the hack reportedly happened back in February but was never officially reported by the company. Had it not been for Have I Been Pwned (HIBP) or WeLeakInfo -- websites devoted to letting consumers know when a breach has occurred or their information has been compromised -- the CafePress hack may still be undisclosed.
The nitty gritty of the hack
A full acknowledgement of the who, what, when, and why of the hack has yet to be revealed because CafePress has yet to acknowledge or report on the hack.
However, according to HIBP's sleuthing, there were 23,205,290 accounts compromised that exposed email addresses, as well as an unknown quantity of records which contained names, physical addresses, phone numbers, and passwords. How those compromised accounts were repurposed (e.g. sold on the dark web) is anybody’s guess.
According to cybersecurity researcher Jim Scott, the person who originally discovered the breach, users’ CafePress passwords are a major concern.
Techie language aside, “roughly half of them had their passwords exposed encoded in base64 SHA1, which is a very weak encryption method to use, especially in 2019 when better alternatives are available,” Scott told Forbes. Scott went on to say that consumers who bought from CafePress through its third-party applications on Amazon or Facebook did not have their passwords compromised.
What’s a consumer to do?
If you’re getting tired of reading about hacks, you’re not alone. However, they’re the ugly underside of the digital world we all live in.
ConsumerAffairs went looking for some fresh suggestions on things consumers can do to protect their data going forward. When we reached out to HIPB’s Troy Hunt for his insights, he told us that guarding your data is actually pretty simple.
“For consumers, it always comes back to 3 simple things,” Hunt said. “Use a password manager (I use 1Password), turn on 2 factor authentication, and minimize the information they provide to third parties (i.e. don’t provide something like date of birth if you don’t need to).”
“Companies often either don’t know that they’ve had a data breach or don’t want to disclose it for fear of negative impact on their brand. Mind you, the repercussions of not disclosing can also be severe as regulators clamp down on mishandling of breach incidents.”
ConsumerAffairs reached out to CafePress for a comment on the situation and what steps it’s taking to insulate the consumer going forward, but the company has not yet responded.