CafePress, the place where you can get anything on a T-shrit or a mug, was hacked in February exposing usernames and passwords and just today started requiring users to reset their passwords.

While the passwords were encrypted using SHA1, passwords aren’t as unique as we like to think — a simple dictionary scan with common numbers and special characters is likely to give the hacker the password you used.  Add the fact many people use the same password on multiple accounts, it’s possible hackers have had access to millions of other services for months.

So, as usual, you should consider changing not just your CafePress password, but any other places you might have used that same password in the last six months.

This was reported on the site haveibeenbpwned.com where they said

In February 2019, the custom merchandise retailer CafePress suffered a data breach. The exposed data included 23 million unique email addresses with some records also containing names, physical addresses, phone numbers and passwords stored as SHA-1 hashes. The data was provided to HIBP by a source who requested it be attributed to “JimScott.Sec@protonmail.com”.

Once again we are confronted not just with a data breach, but the length of time that it took the company to say anything about it. We don’t know whether any security has been updated or changed or if the root cause was identified and addressed.

More news below:

Forbes: CafePress Hacked, 23M Accounts Compromised. Is Yours One Of Them?
https://www.forbes.com/sites/daveywinder/2019/08/05/cafepress-hacked-23m-accounts-compromised-is-yours-one-of-them/#79139bed407e

engadget.com: CafePress resets passwords months after reported data breach
https://www.engadget.com/2019/08/05/cafepress-data-breach/

security affairs: CafePress, the popular T-Shirt and merchandise website, suffered a data breach that exposed the personal details of 23 million of their customers.
https://securityaffairs.co/wordpress/89495/data-breach/cafepress-data-breach.html