CafePress data breach exposes more than 20 million user accounts

More than 23 million accounts from CafePress have been compromised due to a data breach.

Troy Hunt, owner of Have I been Pwned (HIBP), became aware of the data breach after news of it had started circulating. As a result, security researcher Jim Scott got involved and started to search for the database. 

HIBP reported that the data breach occurred on February 20 and the compromised records included names, physical addresses, phone numbers and passwords. 

Jim Scott, cybersecurity researcher commented that “out of the 23 million compromised users, roughly half of them had their passwords exposed encoded in base64 SHA1, which is a very weak encryption method to use especially in 2019 when better alternatives are available.”

CafePress had told its users to change their passwords due to an updated password policy rather than disclosing the breach. 

Users who use CafePress through third party applications such as Facebook, did not have their passwords compromised. 

CafePress still have not gone public about the data breach. 

If a data breach occurs, it is vital for companies to disclose this information so that users can protect themselves. 

CafePress is the second company within a week to not disclose a breach, but rather urge customers to reset their passwords. Earlier this week StockX was reportedly hacked, exposing more than 6.8 million customer records. 

Ian Thornton-Trump, the head of cybersecurity for Amtrust International commented:

“I just don’t even know if it’s even possible to safeguard data online anymore.

“I think we need strong data retention and data expiration so consumers can decide how long their data is held and what data fields are retained.”

Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.