CafePress finally warns customers that it was hacked

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

CafePress finally confirms customers had their data breached

Online merchandise retailer CafePress, used by millions of people to host an online store where they can sell custom-designed t-shirts, mugs, stickers, and more, has finally informed its customers that its systems were hacked and their personal details stolen.

23,205,290 unique email addresses are thought to have been stolen by hackers from CafePress’s systems alongside passwords weakly stored as base64 SHA-1 encoded hashes. Some of the stolen records came complete with names, home addresses, and phone numbers.

According to CafePress, “in a small number of cases” the last four digits of customers’ credit card numbers and credit card expiration dates have also been exposed.

Sign up to our free newsletter.
Security news, advice, and tips.

Disturbingly, some users have claimed that their details have been leaked even though they deleted their accounts “a long time ago.”

CafePress’s breach notification, made via email to affected users, comes several months after the breach is believed to have taken place (February 2019), and a full month-and-a-half after CafePress forced users to change their passwords.

Cafepress email

At the time of the mandatory password reset back in August, CafePress said it was because of a policy update rather than because it suspected customers’ data had been stolen by hackers.

Change password

CafePress would like us to believe that it only “recently discovered” it had a security problem.

And yet a breach at CafePress was being openly discussed on Twitter as far back as July.

I’m pleased to see CafePress has now notified affected users via email about its data breach, but less than happy about how long it has taken. Sadly that’s an all too familiar story… been there, seen that, got the t-shirt.

For those interested, more information is available in a security notice on CafePress’s website.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

4 comments on “CafePress finally warns customers that it was hacked”

  1. Marian Burnett

    Just heard about it this morning! I was not notified someone else texted me about it! No. Didn’t!!

  2. sue

    jfc, what took them so long. my mail was fraudulently forwarded to a lockbox in FL as a result. Figure they might owe me something. my bank told me i had been hacked but wouldn't say by who. guess i know now. 1k in merchandise. seriously messed up.

  3. Tom Fjerstad

    Appalling that they dragged their feet on this notification. Since my only real recourse to show my displeasure is to not use their service that is what I intend to do.

  4. Chris

    Just got an email – 11th October!

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.