CafePress’s confusing incident response

On August 5, this site noted a report on Forbes that CafePress had been hacked. I had not used CafePress in years, so I was curious to see whether my data would be involved, but I didn’t hear anything from them about the February, 2019 hack.

On September 24, Graham Cluley reported that CafePress was finally notifying customers about it. I still didn’t hear anything.

Then on September 30, I received an email to the tagged email address I had created for my account with them. Their notification stated in part:

What Information Was Involved

The information may have included your name, email address, the password to your customer CafePress account, and other information.

Not knowing what that other information might include, I decided to do a password reset. So I went to the site and input the tagged email address and requested a password reset. The site returned:

A member account for the email address ‘[redacted by Dissent]’ could not be found

Well, if they had no account in their records, how/why did they send me a breach notification? What database did they use to send notifications? Was it the same database that was involved in the hack or a different one?

Now confused more than irritated, I contacted CafePress via DM on Twitter to ask them why I had received a notification if CafePress had no record of my account. They answered:

Your account was most likely closed due to non-activity. We wanted to be completely transparent and let everyone know. Sorry for your inconvenience.

They wanted to let everyone know that they had had a breach, even if their data wasn’t involved? They advised me to be vigilant for signs of fraud and to login to the site to change my password even though they had no record of any account for me? Why worry me that way? By now, I was more irritated than confused. I tried again:

So was my info accessed by the hacker(s) or not?

They responded:

We would be better able to assist you if we had the email address associated with your account. Or, you’re welcome to call us at 1-877-809-1659 between 9am-6pm, EST. Monday-Saturday or contact the outside company we have hired to assist our customers with this – 855-347-6551 or 844-386-9557.

I guess I’ll give them a call because after their delayed notification and follow-up, I now have no idea if my data were in a breach or not. And that’s not the way notification is supposed to work.

About the author: Dissent

2 comments to “CafePress’s confusing incident response”

You can leave a reply or Trackback this post.
  1. andrew - October 3, 2019

    I also got notified through mailthey said they previously sent me a letter on September 3, 2019, notifying me about a data security incident.. it said it included a letter with info or to enroll in Experian identity works .then they said due to a printing error, the phone number included in the letter was incorrect. so here is the right number 855-347-6551 we apologize for any inconvenience. well I never received a letter at all till now. ???? what should I do. I was also hit in the Yahoo breach, the Experian breach and most recent capital one all they want to do is give you a credit service and sweep you under the rug.

    • Dissent - October 3, 2019

      That phone number — 855-347-6551 — is the same phone number CafePress’s Twitter team gave me in DM to call, so it sounds legit.

      CafePress has not done a great job on disclosure and notification, it seems. Someone else emailed me to point out how CafePress had told consumers that their letters would never include any links, and then he got an email from them with a link in it so he was suspicious that it was a phishing link. It turned out it was legitimate.

Comments are closed.