See it and Sell it First at ASI Show Orlando – January 4-6, 2025.   Register Now.

CafePress Informs Customers of Massive February Data Hack

Millions of accounts were compromised, the company says.

CafePress, an online retailer of stock and user-customized merchandise, has finally informed customers that its systems were hacked in February.

Customers received an email last week notifying them that customer names, email addresses, passwords and other personal information were stolen by hackers, The Register reported. The email says the hackers may have had access to CafePress accounts for a limited time and the information “could have been used for fraudulent activity.” The email also says that the incident happened on or around Feb. 19, and that CafePress “recently discovered” the massive data theft.

However, many customers learned of the data breach in August due to an email notification from the haveibeenpwned (HIBP) breach database service, Forbes reported. According to that HIBP notification, the breach itself took place on Feb. 20 and compromised more than 23 million accounts. The data was provided to Troy Hunt at HIBP from a source attributed as JimScott.Sec@protonmail.com. We Leak Info, another breach database service, added CafePress to its list in July.

In August, CafePress forced users to change their passwords, claiming it was due to a policy update, according to security blogger Graham Cluley. But a CafePress spokesperson told Forbes that “CafePress Inc. learned of a potential security issue related to customer accounts. We have engaged third-party experts and are investigating the issue. Our commitment to maintaining the confidentiality of our customers’ information is paramount to the employees and leadership of CafePress.”

On its website updated Sept. 5, CafePress wrote that based on its investigation, the company believes the unidentified third party obtained personal information pertaining to “approximately 22 million customer accounts” in the United States and globally. For less than 1% of the affected individuals, the company says, the information also included Social Security numbers or tax identification numbers.

CafePress said it is working with U.S. law enforcement and has also notified U.K. and European regulators. The Louisville, KY-based company said it has also shifted the database and “taken various steps to further enhance the security of our systems and your information.” Additionally in the email, CafePress included links to Experian, TransUnion and Equifax for customers to obtain free credit reports, as well as issue “fraud alerts” on their credit files.