I am a huge fan of Have I been pwned and signed up for breach notifications some years back. Yesterday, I got an email saying that my details were included in a breach from CafePress.
This was the first that I had heard of this and appears to be the same for other people from what I've seen on twitter and in various articles across the internet.
At first, I wondered if CafePress had been caught out and had a breach but were not aware of it, however, they have kept remarkably silent and have - so far - ignored all requests for information from customers and news agencies.
Anyone logging on to the site now has to change their password but there has been no information from CafePress as to why this is required.
There is no infomration about this new "password policy" and why the change is mandated. According to people who have seen the breach, the data is stored unencrypted except for passwords that have weak encryption.
I know that Have I been pwned do validate data in breaches so I trust that the breach is real. In addition, the site we leak info have called this a "Verified Breach"
Normally, I would just chalk this up to a company being crap but in this case I'm a lot more concerned as this data contains my home address - I do not care if my personal email is leaked or my password - those are easy to handle but I do care about my address being leaked and I'm disgusted that CafePress have totally ignored questions around this or posted anything online.
I've contacted the company and will post an update if they reply with what they say. They've got a few more days to report to the various data protection authorities before they are in breach of those rules so I'll also update this if they do post anything.
Subscribe to Ramblings of a Sysadmin
Get the latest posts delivered right to your inbox