CafePress Breach
Feb 19, 2019
23,579,964 rows
What happened in the CafePress Breach?
DataBreach.com Team · November 30th 2024, 7:00 pm EST
CaféPress-the custom-merchandise marketplace acquired by Snapfish only months earlier-suffered a quiet but consequential intrusion in mid-February 2019, when attackers slipped past weak perimeter defenses and copied a user database containing roughly 23 million records. The cache, which surfaced for sale on darknet forums that summer, ultimately totaled 23,579,964 rows and dated back years of customer activity.
Security researchers who analyzed the leak found that e-mail addresses, full names, home addresses, and phone numbers were stored in plaintext, while passwords were merely obscured with the long-deprecated unsalted SHA-1 hash. Even more troubling, the dump included millions of unencrypted security questions and answers, more than 180,000 Social Security numbers, and tens of thousands of partial payment-card details-enough information to enable credential-stuffing, identity-theft and socially engineered fraud at scale.
CaféPress kept the incident under wraps for months, quietly forcing password resets in late July but offering customers no explanation until after news outlets and the “Have I Been Pwned” service broke the story on 5 August 2019. The company’s belated notice minimized both the attack vector and the sensitivity of the stolen data, a stance that drew sharp criticism from security professionals and privacy advocates.
Regulators took a dim view of the delay and the underlying security lapses. In March 2022 the U.S. Federal Trade Commission filed a complaint alleging CaféPress had failed to employ reasonable safeguards, ignored multiple warning signs of compromise, and misrepresented its data-protection practices. The resulting consent order required the company’s former owner to pay $500,000 in consumer redress, implement a comprehensive information-security program subject to biennial audits, and purge unnecessary personal data retained in its systems.
The FTC has since mailed more than 20,000 restitution checks to users whose Social Security numbers were exposed, underscoring regulators’ growing willingness to extract cash penalties-even for breaches that fall outside HIPAA or industry-specific statutes-when companies both neglect basic cyber-hygiene and stall on disclosure.
