[conspire] 23 million CafePress accounts' data compromised, including passwords

[Rick Moen]

1.  Security breach details here:
https://www.forbes.com/sites/daveywinder/2019/08/05/cafepress-hacked-23m-accounts-compromised-is-yours-one-of-them/

2.  This contact to me from CafePress, Inc. is shockingly tardy, given that
the breach of 23,205,290 CafePress customer accounts' details happened
in _February_, seven freakin' months ago.  For quite a few months since
then, third-party sites such as https://haveibeenpwned.com/ have been
independently notifying users of this failure.

3.  Even more shocking is that it was possible for the thieves to steal 
the plaintext versions of CafePress customers' _passwords_, because
CafePress stored passwords incompetently.  That sort of theft should be
impossible on account of good hashing with cryptographic 'salt'
included, and libs that do this correctly are ubiquitous.  Extraction
being possible at all is a red flag for extraordinary IT incompetence.
https://www.codeproject.com/Articles/704865/Salted-Password-Hashing-Doing-it-Right

CafePress used a known-weak and excessively fast hash (base64 SHA1),
evidently without any salting.  That kind of malfeasance takes effort.

4.  (most important!)  As the advisory says below, this is why you
should never, ever re-use passwords across multiple contexts.  Have a
separate password for each thing, and every password should be a
non-junk decently complex password.  Yes, you're right, you cannot
remember them all, so don't try.  Use a password store of your choosing.

5.  Anyone who still seriously thinks you can keep your e-mail address 
secret (e.g., to hide from spammers), give it up, already, man.

6.  To top off this extremely unimpressive CafePress, Inc. performance, 
every single one of the URLs in the e-mail was a _bugged_ URL at yet
another firm devoted to spying on customers, CSIdentity of Austin, TX:
The expression [redacted] in each URL is my replacemetn for a long alpha
hash expression presumably unique to me, intended to track what
links I visited and when.  Telling me 'We are fully committed to
protecting your information' and in the same message attempting to spy
on my personal Web usage in response to the data breach isn't a good look.


----- Forwarded message from CafePress <donotreply at cafepress.com> -----

Date: Mon, 9 Sep 2019 21:16:33 -0500 (CDT)
From: CafePress <donotreply at cafepress.com>
To: "rick at linuxmafia.com" <rick at linuxmafia.com>
Subject: Data Security Incident
Reply-To: CafePress <donotreply at cafepress.com>

Data Security Incident

Dear Valued Customer,

We are writing to notify you of a data security incident involving your personal information. This email explains what happened and provides information about what you can do in response. We are taking this matter very seriously and sincerely regret any concern it may cause you.

What Happened

CafePress recently discovered that an unidentified third party obtained customer information, without authorization, that was contained in a CafePress database. Based on our investigation to date, this may have occurred on or about February 19, 2019.

What Information Was Involved

The information may have included your name, email address, the password to your customer CafePress account, and other information.

What We Are Doing

We have been diligently investigating this incident with the assistance of outside experts. We also have contacted and are cooperating with federal law enforcement authorities. In addition, we have taken various steps to further enhance the security of our systems and your information, and the affected database has been moved to a different environment.

What You Can Do

As described in the "Additional Resources" section below, we recommend you remain vigilant and take steps to protect against identity theft or fraud, including monitoring your accounts and free credit reports for signs of suspicious activity.

We also recommend that you visit the CafePress website at www.cafepress.com (http://click1.mail.csid.com/[redacted].html) and log in to any online account you may have, which should prompt you to change your account password, if you have not done so recently. In general, you should always ensure that you are not using the same password across multiple accounts, and that you are using strong passwords that are not easy to guess.

For More Information

If you have any questions or concerns for CafePress, please contact: 1-844-386-9557 Monday-Friday from 9:00 a.m. to 9:00 p.m. ET or Saturday-Sunday from 11:00 a.m. to 8:00 p.m. ET.

We are fully committed to protecting your information, and we deeply regret that this incident occurred.

Sincerely,

CafePress Inc.

=====================

ADDITIONAL RESOURCES

You may obtain a free copy of your credit report from each of the three credit reporting agencies by visiting www.annualcreditreport.com (http://click1.mail.csid.com/[redacted].html) or by calling 1-877-322-8228. You can request information regarding fraud alerts, security freezes, and identity theft from the following credit reporting agencies:

- Experian, http://click1.mail.csid.com/[redacted].html (http://click1.mail.csid.com/[redacted].html), 1-888-397-3742, P.O. Box 9554, Allen, TX 75013
- TransUnion, http://click1.mail.csid.com/[redacted].html (http://click1.mail.csid.com/[redacted].html), 1-888-909-8872, P.O. Box 2000, Chester, PA 19016-2000
- Equifax, http://click1.mail.csid.com/[redacted].html (http://click1.mail.csid.com/[redacted].html), 1-800-685-1111, P.O. Box 105788, Atlanta, GA 30348

You can contact these credit bureaus to place a "fraud alert" on your credit file that alerts creditors to take additional steps to verify your identity prior to granting credit in your name. When one credit bureau confirms your fraud alert, the others are notified to place fraud alerts on your file.

A security freeze prohibits a credit-reporting agency from releasing any information from a consumer's credit report without written authorization. However, please be aware that placing a security freeze on your credit report may delay, interfere with, or prevent the timely approval of any requests you make for new loans, credit mortgages, employment, housing, or other services. You can request a security freeze from each of the three major consumer-reporting agencies online, by telephone, or by mail via the contact information listed above. To place a security freeze, you may need to provide the following information:

- Your full name (including middle initial as well as Jr., Sr., II, III, etc.)
- Social Security number
- Date of birth
- The addresses where you have lived over the prior five years
- Proof of current address such as a current utility bill or telephone bill
- A legible photocopy of a government-issued identification card (state driver's license or ID card, military identification, etc.)

You can also receive information from the Federal Trade Commission ("FTC") regarding fraud alerts, security freezes, your rights under the Fair Credit Reporting Act, and how to avoid and report identity theft: FTC Identity Theft Clearinghouse, 600 Pennsylvania Avenue, NW, Washington, D.C. 20580, consumer.ftc.gov (http://click1.mail.csid.com/[redacted].html), 1-877-438-4338.

Additional information:

- Iowa residents are advised to report any suspected identity theft to law enforcement or to the Office of the Attorney General of Iowa, Hoover State Office Building, 1305 E. Walnut Street, Des Moines, Iowa 50319-0106, www.iowaattorneygeneral.gov (http://click1.mail.csid.com/[redacted].html), 1-888-777-4590.

- Maryland residents may contact the Maryland Office of the Attorney General, Consumer Protection Division, 200 St. Paul Place, Baltimore, MD 21202, www.oag.state.md.us (http://click1.mail.csid.com/[redacted].html), 1-888-743-0023 for information about preventing identity theft.

- Massachusetts residents have the right to obtain any police report filed in regard to this incident. If you are the victim of identity theft, you also have the right to file a police report and obtain a copy of it.

- North Carolina residents may contact the North Carolina Office of the Attorney General, Consumer Protection Division, 9001 Mail Service Center, Raleigh, NC 27699-9001, www.ncdoj.gov (http://click1.mail.csid.com/[redacted].html), 1-877-566-7226 for information about preventing identity theft.

- Oregon residents are advised to report any suspected identity theft to law enforcement, the Federal Trade Commission, and the Oregon Attorney General, Oregon Department of Justice, 1162 Court St. NE, Salem, OR 97301-4096, www.doj.state.or.us (http://click1.mail.csid.com/[redacted].html), 1-877-877-9392.

- Rhode Island residents may contact the Office of the Attorney General of Rhode Island, 150 South Main Street, Providence, Rhode Island 02903, www.riag.ri.gov (http://click1.mail.csid.com/jmtnhrdfsbrwsjzjwtmzpwfdtnwbsmhpnnjhscprjmmb_nqfpjrrktjjnqdprpkpfdq.html), (401) 274-4400. In Rhode Island, you may file or obtain a police report.

- Contact information for the other Attorneys General is available at www.naag.org/current-attorneys-general.php (http://click1.mail.csid.com/[redacted].html).

----- End forwarded message -----