The users became aware of the infringement today, not through CafePress, but through Troy Hunt’s notifications I was pwned..
Having heard of a breach of CafePress data, Hunt requested the help of Jim Scott, a security scientist who had helped him in the past with other infringements, such as Evite. Research shows that a CafePress dehashed database of 493,000 accounts is sold in hacker forums. It is not known whether this is the same infringement. According to HIBP, in February 2019, CafePress was hacked and personal data were revealed to 23,205,290 users. This data includes email, names, passwords, phone numbers and physical addresses. This information is available. At the time of this writing, CafePress did not answer the queries and did not issue a statement concerning the infringement of data. The only indication is that users of CafePress are forced to reset their password while logging into the site. There is no mention of the violation in this reset password policy.
Passwords resets Companies must do better to control their own data for their users. In the event of a data breach, the companies need to divulge this information to protect themselves adequately. However, for the second time in a week a company has decided to reset the password for the first time. First on StockX and now on CafePress. Password reset notifications shall be made simultaneously with infringement notifications. Not before, not after, not before.