CafePress, a well-known custom T-Shirt and merchandise site, suffered a data breach that exposed the personal information of 23 million of their customers.

Users became aware of the breach today, not through CafePress, but through notifications from Troy Hunt’s Have I Been Pwned service. 

After hearing about a CafePress data breach being circulated, Hunt solicited the help of security researcher Jim Scott who had helped him with other data breaches in the past, such as Evite.

“Security researcher Jim Scott is just fine. About 2 weeks ago I got notified by Troy that CafePress.com data breach was circulating and if I had seen it. At that time, the only public source of this data breach was from the data breach search engine WeLeakInfo and was not being sold as far as I know. With the help of my colleagues, I started to search for the database more thoroughly until I found it,” Scott told BleepingComputer via email.

Research by BleepingComputer shows that a dehashed CafePress database of approximately 493,000 accounts was being sold on  hacker forums. It is not known if this is related to the same breach.

According to HIBP, CafePress was hacked in February 2019 and exposed the personal information for 23,205,290 users. This exposed data includes Email addresses, Names, Passwords, Phone numbers, and Physical addresses.

Scott further told BleepingComputer that half of the compromised user’s passwords were encoded in base64 SHA1, which is a very weak algorithm by today’s standards. The other half of the users contained third-party tokens for logins through Facebook and Amazon.

“It came to my attention that Troy forgot to add that passwords were also affected in this security incident when first announcing this data breach, which has now been corrected. Out of the 23 million compromised users, roughly half of them had their passwords exposed encoded in base64 SHA1, which is a very weak encryption method to use especially in 2019 when better alternatives are available. The remaining users who used CafePress through third-party applications, such as FaceBook or Amazon, had no compromised passwords.”

At the time of this writing, CafePress has not responded to BleepingComputer’s queries and has not issued a statement regarding the data breach.

The only indication that something is wrong is that CafePress users are being forced to reset their password when they try to login to the site. In this password reset policy there is no mention of the breach as well.

Passwords resets are not breach disclosures!

Companies need to do a better job at letting their users control their own data. If there is a data breach, it is necessary for the companies to disclose this information so that users can adequately protect themselves.

Yet for the second time in a week, a company has decided that a password reset is their first step in disclosing a breach. First with StockX and now with CafePress.

Password reset notifications must be done at the same time as breach notifications.

Not before and not after.