Infosec professionals are criticizing online retailer CafePress for failing to adequately inform users that the platform recently suffered a major breach that exposed the personal data of 23 million customers. The breach occurred in February of this year and according to breach notification site Have I Been Pwned “the exposed data included 23 million unique email addresses with some records also containing names, physical addresses, phone numbers and passwords stored as SHA-1 hashes.” SHA-1 is a weak algorithm for encrypting data.
CafePress has so far failed to publish a breach notification on its website or Twitter page. The firm is forcing users to change their password, but users are being told this is the result of changes to the platform’s password policy, while the data breach is not mentioned.
Read more: CafePress Slammed After Major Breach Affecting 23 Million