We literally just wrote about how it’s pretty crappy when companies lie to you about data breaches, and then American retailer CafePress rolls up and goes, “I can top that.”
According to the latest reports, a data breach at the popular American t-shirt creation site has affected a whopping 23 million of its users. The records in question were allegedly stolen in February — six months ago — and include names, physical address, and phone numbers, as described by the world’s best data-breach tracker, Have I Been Pwned.
We don’t offer idle flattery. In fact, if you signed up for Have I Been Pwned — and you absolutely should — that’s where you would have learned that your data was found in the CafePress breach. The site was the very first one to notify affected parties about the mess, not CafePress.
And this time it's CafePress with the data breach. pic.twitter.com/1BntwKYnuU
— Titus Barik (@barik) August 5, 2019
While CafePress then went out and told its users that they needed to change their passwords, it was not forthcoming about why — kind of important, given the size of the breach and the whole “being honest with your customers” thing.
Pretty disingenuous of CafePress to mask a data breach of names, mobiles, and street addresses under a password policy update. pic.twitter.com/t7RUt6pRKH
— darren (@darrenpauli) August 5, 2019
As of when we wrote this article, CafePress has no banner on its website to talk about the breach, nor any mention of the issue on its social media pages. We’d get that if it affected a small number of customers — not the best practice, but understandable.
However, 23 million is a pretty big number. While the purloined data isn’t super-critical, since it doesn’t contain any financial records, it’s still annoying to have to think about. If you’re CafePress, it’s absolutely something worth disclosing publicly, because that’s what honest companies do in times like these.
And just in case they don’t, services like Have I Been Pwned, Firefox Monitor (just a reskinned Have I been Pwned), or 1Password’s Watchtower are essential for managing your data security. If you aren’t using one of them, you need to be.