DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

CafePress’s confusing incident response

Posted on October 1, 2019 by Dissent

On August 5, this site noted a report on Forbes that CafePress had been hacked. I had not used CafePress in years, so I was curious to see whether my data would be involved, but I didn’t hear anything from them about the February, 2019 hack.

On September 24, Graham Cluley reported that CafePress was finally notifying customers about it. I still didn’t hear anything.

Then on September 30, I received an email to the tagged email address I had created for my account with them. Their notification stated in part:

What Information Was Involved

The information may have included your name, email address, the password to your customer CafePress account, and other information.

Not knowing what that other information might include, I decided to do a password reset. So I went to the site and input the tagged email address and requested a password reset. The site returned:

A member account for the email address ‘[redacted by Dissent]’ could not be found

Well, if they had no account in their records, how/why did they send me a breach notification? What database did they use to send notifications? Was it the same database that was involved in the hack or a different one?

Now confused more than irritated, I contacted CafePress via DM on Twitter to ask them why I had received a notification if CafePress had no record of my account. They answered:

Your account was most likely closed due to non-activity. We wanted to be completely transparent and let everyone know. Sorry for your inconvenience.

They wanted to let everyone know that they had had a breach, even if their data wasn’t involved? They advised me to be vigilant for signs of fraud and to login to the site to change my password even though they had no record of any account for me? Why worry me that way? By now, I was more irritated than confused. I tried again:

So was my info accessed by the hacker(s) or not?

They responded:

We would be better able to assist you if we had the email address associated with your account. Or, you’re welcome to call us at 1-877-809-1659 between 9am-6pm, EST. Monday-Saturday or contact the outside company we have hired to assist our customers with this – 855-347-6551 or 844-386-9557.

I guess I’ll give them a call because after their delayed notification and follow-up, I now have no idea if my data were in a breach or not. And that’s not the way notification is supposed to work.

Category: Business SectorHack

Post navigation

← Systems shut down in Victorian hospitals after suspected cyber attack
Comodo Forums Breached, Data of Over 170,000 Users Up for Grabs →

2 thoughts on “CafePress’s confusing incident response”

  1. andrew says:
    October 3, 2019 at 9:03 am

    I also got notified through mailthey said they previously sent me a letter on September 3, 2019, notifying me about a data security incident.. it said it included a letter with info or to enroll in Experian identity works .then they said due to a printing error, the phone number included in the letter was incorrect. so here is the right number 855-347-6551 we apologize for any inconvenience. well I never received a letter at all till now. ???? what should I do. I was also hit in the Yahoo breach, the Experian breach and most recent capital one all they want to do is give you a credit service and sweep you under the rug.

    1. Dissent says:
      October 3, 2019 at 9:30 am

      That phone number — 855-347-6551 — is the same phone number CafePress’s Twitter team gave me in DM to call, so it sounds legit.

      CafePress has not done a great job on disclosure and notification, it seems. Someone else emailed me to point out how CafePress had told consumers that their letters would never include any links, and then he got an email from them with a link in it so he was suspicious that it was a phishing link. It turned out it was legitimate.

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • North Shore University Sleep Disorders Center employee charged with secretly recording patients in restrooms
  • When ransomware listings create confusion as to who the victim was
  • Rajkot civic body’s GIS website hit by cyber attack, over 400 GB data feared stolen
  • Taiwan’s BitoPro hit by NT$345 million cryptocurrency hack
  • Texas gastroenterology and surgical practice victim of ransomware attack
  • Romanian Citizen Pleads Guilty to ‘Swatting’ Numerous Members of Congress, Churches, and Former U.S. President
  • North Dakota Enacts Financial Data Security and Data Breach Notification Requirements
  • Pro-Ukraine hacker group Black Owl poses ‘major threat’ to Russia, Kaspersky says
  • Vanta bug exposed customers’ data to other customers
  • Lyrix Ransomware Targets Windows Users with Advanced Evasion Techniques

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Florida ban on kids using social media likely unconstitutional, judge rules
  • State Data Minimization Laws Spark Compliance Uncertainty
  • Supreme Court Agrees to Clarify Emergency Situations Where Police Don’t Need Warrant
  • Stewart Baker vs. Orin Kerr on “The Digital Fourth Amendment”
  • Fears Grow Over ICE’s Reach Into Schools
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.