Search This Blog

Owner of CafePress Penalized $500,000 for Hiding a Data Breach

After receiving notifications via Troy Hunt's Have I Been Pwned service, several users became aware of the situation.

 

CafePress's past owner Residual Pumpkin firm has been fined $500,000 by U.S. Federal Trade Commission (FTC) in their final order over a 2019 data breach that impacted 23 million customers.

CafePress is a US site that sells print-on-demand items like apparel, housewares, and kitchenware. Sellers can register on the website and upload their designs, and CafePress takes a percentage of every sale. 

Social Security numbers and password recovery responses were kept in plain text and for a longer period by the Residual Pumpkin firm. Additionally, the organization did not implement existing safeguards and react to security vulnerabilities. After several attacks on its servers, it attempted to hide the significant data breach carried on by its inadequate security protocols. 

A unanimous 5-0 vote accepted the FTC's order. The FTC has mandated that the corporations immediately implement multi-factor authentication of stored data and set an encryption key for all social security numbers, in addition to imposing fines on the businesses. 

As a result, the company's current owner PlanetArt, who acquired CafePress in 2020, has set up an alert system to notify all customers and vendors whose private information has been compromised.

Unknown attackers acquired access to files stored as SHA-1 hashes during a February 2019 breach of CafePress' servers, exploited, and later sold 23,205,290 CafePress users' personal information on the dark web. However, after receiving notifications via Troy Hunt's Have I Been Pwned service, several users became aware of the situation. The fact the users seemed to reset their passwords on checking in without being informed of the data breach was the only indication that something was wrong. 

Since some of its merchants' accounts had been hacked since at least January 2018, as per FTC's claim, CafePress was aware that it had vulnerabilities even before the 2019 incident.

Instead of letting users acknowledge the instances, CafePress terminated their accounts and assessed a $25 account closure fee to each of them. Before the 2019 security breach, the company's network was again affected by several malware infestations, and CafePress once again neglected to look into the attacks.
Share it:

Darkweb

Data Breach

FTC

Have I Been Pwned

Phishing Attacks

Private Data

USA