Cyber Incident Victim: CafePress
Date:
Feb 2019
Location:
United States of America
Summary
A cybersecurity breach at CafePress compromised over 23 million customer accounts, exposing email addresses, names, physical addresses, phone numbers, and passwords. Approximately half of the affected accounts had passwords stored using weak base64 SHA-1 encoding, while users authenticated via third-party platforms like Facebook or Amazon were unaffected. The incident was identified by a security researcher who provided the data to a breach notification service, prompting public awareness. The company acknowledged the issue after the disclosure, initiating an investigation with external experts to address the security lapse.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 7 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On February 20, 2019, CafePress experienced a data breach compromising 23,205,290 user accounts. The incident remained undetected until cybersecurity researcher Jim Scott identified the stolen database and provided it to Have I Been Pwned (HIBP) founder Troy Hunt in July 2019. The breach exposed 23 million unique email addresses, with additional compromised records containing names, physical addresses, and phone numbers. Approximately half of the affected accounts had password data exposed as base64-encoded SHA1 hashes, considered weak encryption by modern standards. Users who accessed CafePress through third-party platforms like Facebook or Amazon did not have passwords compromised. We Leak Info first added the breach to its database on July 13, 2019, but widespread awareness only occurred when HIBP began notifying affected users via email in early August 2019.
CafePress did not publicly disclose the breach prior to HIBP's notifications. The company issued a statement on August 7, 2019, confirming they had "learned of a potential security issue" and engaged third-party experts to investigate. Cybersecurity professionals noted the delayed discovery was consistent with industry patterns where breaches often remain undetected for extended periods. The exposed data included repetitive base64-encoded tokens rather than user-chosen passwords, though researcher Jim Scott maintained that SHA1 hashes were present in the dataset. HIBP's integration of the breach data enabled users to verify compromised credentials through its notification service. No information regarding containment measures, forensic findings, or attacker methodology was disclosed by CafePress or investigators in the available reports.