T-shirt flogger CafePress has finally informed its customers about a serious data loss dating back to February and first reported last month.
Several CafePress punters told us they had received an email this morning warning them the company had lost customer names, emails, physical addresses, phone numbers and unencrypted passwords. Some customers have also had the last four numbers of payment cards and expiry dates nabbed by hackers.
The email, addressed to “Dear Valued Customer”, says that the incident happened “on or about February 19”. But fear not: “We have been diligently investigating this incident with the assistance of outside experts.”
The email claims that CafePress “recently discovered” the security hole. But in early August, the company ran a mass-password reset following reports that some 23 million user details were floating around on hacker forums.
Security researcher Jim Scott told The Register at the time: “Out of the 23 million compromised users, roughly half of them had their passwords exposed encoded in base64 SHA-1.” The hack was originally spotted by Troy Hunt, operator of the Have I Been Pwned website.
Today’s email says that an unidentified third party accessed a CafePress database and customer data. They may also have had access to CafePress accounts for a limited time and the information “could have been used for fraudulent activity”.
The company has not responded to our questions, which include why passwords were not properly encrypted and why it has taken so long to warn customers.