CafePress, an online retailer of stock and user-customized merchandise, has finally informed customers that its systems were hacked in February.

Customers received an email last week notifying them that customer names, email addresses, passwords and other personal information were stolen by hackers, The Register reported. The email says the hackers may have had access to CafePress accounts for a limited time and the information “could have been used for fraudulent activity.” The email also says that the incident happened on or around Feb. 19, and that CafePress “recently discovered” the massive data theft.

Hey @cafepress, why is it taking you more than seven months to report a serious data breach to affected customers? There is no reason it should have taken this long for a notification.

— Jeremy Wallace (@jeremylwallace) September 27, 2019

However, many customers learned of the data breach in August due to an email notification from the haveibeenpwned (HIBP) breach database service, Forbes reported. According to that HIBP notification, the breach itself took place on Feb. 20 and compromised more than 23 million accounts. The data was provided to Troy Hunt at HIBP from a source attributed as JimScott.Sec@protonmail.com. We Leak Info, another breach database service, added CafePress to its list in July.

New Data Breach Alert!

Site: Cafepress
Date: 02/2019
Records: 23,321,980
Status: Undisclosed
Info: Email, First Name, Last Name, Hash

See if your information was leaked for free at (link: https://t.co/Il5zj4Bl4h) https://t.co/3ev8DRCmZ6#weleakinfo #infosec #databreach #OSINT

— We Leak Info (@weleakinfo) July 14, 2019

In August, CafePress forced users to change their passwords, claiming it was due to a policy update, according to security blogger Graham Cluley. But a CafePress spokesperson told Forbes that “CafePress Inc. learned of a potential security issue related to customer accounts. We have engaged third-party experts and are investigating the issue. Our commitment to maintaining the confidentiality of our customers’ information is paramount to the employees and leadership of CafePress.”

Interesting...receive alert from @cafepress that my account was compromised, follow instructions to reset pwd, however, I apparently don't have an account with them on the same email address that they sent me the notice to. #datasecurity #hacked pic.twitter.com/vqy98aMPTU

— Ed Brooks (@EdB_SP) September 24, 2019

On its website updated Sept. 5, CafePress wrote that based on its investigation, the company believes the unidentified third party obtained personal information pertaining to “approximately 22 million customer accounts” in the United States and globally. For less than 1% of the affected individuals, the company says, the information also included Social Security numbers or tax identification numbers.

Looks like @cafepress has been hacked. I have two questions:

1. Were the passwords hashed, and if so, how?
2. Why should I freeze my credit unless more information was leaked that you're not revealing? pic.twitter.com/xAH53Eda1P

— Aaron (Okuyo) Toponce 🕉️ (@AaronToponce) September 28, 2019

CafePress said it is working with U.S. law enforcement and has also notified U.K. and European regulators. The Louisville, KY-based company said it has also shifted the database and “taken various steps to further enhance the security of our systems and your information.” Additionally in the email, CafePress included links to Experian, TransUnion and Equifax for customers to obtain free credit reports, as well as issue “fraud alerts” on their credit files.