DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

CafePress’s confusing incident response

Posted on October 1, 2019 by Dissent

On August 5, this site noted a report on Forbes that CafePress had been hacked. I had not used CafePress in years, so I was curious to see whether my data would be involved, but I didn’t hear anything from them about the February, 2019 hack.

On September 24, Graham Cluley reported that CafePress was finally notifying customers about it. I still didn’t hear anything.

Then on September 30, I received an email to the tagged email address I had created for my account with them. Their notification stated in part:

What Information Was Involved

The information may have included your name, email address, the password to your customer CafePress account, and other information.

Not knowing what that other information might include, I decided to do a password reset. So I went to the site and input the tagged email address and requested a password reset. The site returned:

A member account for the email address ‘[redacted by Dissent]’ could not be found

Well, if they had no account in their records, how/why did they send me a breach notification? What database did they use to send notifications? Was it the same database that was involved in the hack or a different one?

Now confused more than irritated, I contacted CafePress via DM on Twitter to ask them why I had received a notification if CafePress had no record of my account. They answered:

Your account was most likely closed due to non-activity. We wanted to be completely transparent and let everyone know. Sorry for your inconvenience.

They wanted to let everyone know that they had had a breach, even if their data wasn’t involved? They advised me to be vigilant for signs of fraud and to login to the site to change my password even though they had no record of any account for me? Why worry me that way? By now, I was more irritated than confused. I tried again:

So was my info accessed by the hacker(s) or not?

They responded:

We would be better able to assist you if we had the email address associated with your account. Or, you’re welcome to call us at 1-877-809-1659 between 9am-6pm, EST. Monday-Saturday or contact the outside company we have hired to assist our customers with this – 855-347-6551 or 844-386-9557.

I guess I’ll give them a call because after their delayed notification and follow-up, I now have no idea if my data were in a breach or not. And that’s not the way notification is supposed to work.

Related posts:

  • FTC Takes Action Against CafePress for Data Breach Cover Up and Poor Security
  • Seven states settle with CafePress over 2019 data breach
  • FTC Finalizes Action Against CafePress for Covering Up Data Breach, Lax Security
Category: Business SectorHack

Post navigation

← Systems shut down in Victorian hospitals after suspected cyber attack
Comodo Forums Breached, Data of Over 170,000 Users Up for Grabs →

2 thoughts on “CafePress’s confusing incident response”

  1. andrew says:
    October 3, 2019 at 9:03 am

    I also got notified through mailthey said they previously sent me a letter on September 3, 2019, notifying me about a data security incident.. it said it included a letter with info or to enroll in Experian identity works .then they said due to a printing error, the phone number included in the letter was incorrect. so here is the right number 855-347-6551 we apologize for any inconvenience. well I never received a letter at all till now. ???? what should I do. I was also hit in the Yahoo breach, the Experian breach and most recent capital one all they want to do is give you a credit service and sweep you under the rug.

    1. Dissent says:
      October 3, 2019 at 9:30 am

      That phone number — 855-347-6551 — is the same phone number CafePress’s Twitter team gave me in DM to call, so it sounds legit.

      CafePress has not done a great job on disclosure and notification, it seems. Someone else emailed me to point out how CafePress had told consumers that their letters would never include any links, and then he got an email from them with a link in it so he was suspicious that it was a phishing link. It turned out it was legitimate.

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked
  • Breaches have consequences (sometimes) (1)
  • Kansas City Man Pleads Guilty for Hacking a Non-Profit
  • British national “IntelBroker” charged with causing $25 million in damages; U.S. seeks his extradition from France
  • France issues press statement about arrest of ShinyHunters members
  • Patients Allege Home Delivery Pharmacy Failed to Timely Notify Them of Data Breach

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach
  • Nestle USA Settles Suit Over Job-Application Medical Questions
  • NY Attorney General James Affirms Hospitals Must Provide Access to Emergency Abortion Care
  • How Internet of Things devices affect your privacy – even when they’re not yours

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.