Your hacker Blog

CafePress Data Breach exposes technical details of 23 Million users

CafePress, the popular T-Shirt and merchandise website, suffered a data breach that exposed the personal details of 23 million of their customers.

CafePress, the popular T-Shirt and merchandise website, disclosed a data breach that exposed the personal details of 23 million of their customers.

The news was publicly reported by the data breach notification service Have I Been Pwned. 

I just updated the CafePress breach description on @haveibeenpwned to include passwords. It’s a really odd thing: there’s a heap of identical base64 encoded “passwords” and then some SHA-1 versions stored in hex then base64 encoded. Weird. https://t.co/OlgiuM5JNv— Troy Hunt (@troyhunt) August 5, 2019After being aware of a CafePress dump circulating on the underground, Hunt asked the security researcher Jim Scott to help him in finding it.

Finally, the security duo found on a hacker forum the dump containing details for roughly 493,000 accounts.

According to Have I Been Pwned website, CafePress was compromised in February 2019 and hackers accessed personal details of 23,205,290 users.

New breach: CafePress had 23M unique email addresses breached in February. Some records also contained names, physical addresses and phone numbers. 77% were already in @haveibeenpwned https://t.co/hv1u9SEsMR— Have I Been Pwned (@haveibeenpwned) August 5, 2019This exposed data include email addresses, names, passwords, phone numbers, and physical addresses.

Security experts criticized the way the company managed the incident, some of them pointed out that it has attempted to cover up the breach.

Cafepress become the second company in a week to cover up a breach, tells customers they have “updated our password policy” instead. Was actually a public breach of 23M user details. https://t.co/tsYJT6G2Wn— Kevin Beaumont (@GossiTheDog) August 5, 2019James Scott told BleepingComputer that half of the exposed passwords were encoded in base64 SHA1, which is considered a very weak algorithm to protect secret codes.

The records associated with the remaining users included third-party tokens for logins through Facebook and Amazon.

In response to the incident, CafePress forced users to reset their password without admitting the security breach.

Recently another company, the live marketplace for buying and selling limited edition sneakers, watches, handbags, and streetwearStockX, force a password reset before to disclose a data breach.

Of course, this isn’t the best way to manage a data breach, the first thing to do is to report the incident to the authorities and the impacted users.

window._mNHandle = window._mNHandle || {};
window._mNHandle.queue = window._mNHandle.queue || [];
medianet_versionId = “3121199”;

try {
window._mNHandle.queue.push(function () {
window._mNDetails.loadTag(“762221962”, “300×250”, “762221962”);
});
}
catch (error) {}

Pierluigi Paganini

(SecurityAffairs – CafePress, data breach)

The post CafePress Data Breach exposes technical details of 23 Million users appeared first on Security Affairs.