CafePress’s confusing incident response
On August 5, this site noted a report on Forbes that CafePress had been hacked. I had not used CafePress in years, so I was curious to see whether my data would be involved, but I didn’t hear anything from them about the February, 2019 hack.
On September 24, Graham Cluley reported that CafePress was finally notifying customers about it. I still didn’t hear anything.
Then on September 30, I received an email to the tagged email address I had created for my account with them. Their notification stated in part:
What Information Was Involved
The information may have included your name, email address, the password to your customer CafePress account, and other information.
Not knowing what that other information might include, I decided to do a password reset. So I went to the site and input the tagged email address and requested a password reset. The site returned:
A member account for the email address ‘[redacted by Dissent]’ could not be found
Well, if they had no account in their records, how/why did they send me a breach notification? What database did they use to send notifications? Was it the same database that was involved in the hack or a different one?
Now confused more than irritated, I contacted CafePress via DM on Twitter to ask them why I had received a notification if CafePress had no record of my account. They answered:
Your account was most likely closed due to non-activity. We wanted to be completely transparent and let everyone know. Sorry for your inconvenience.
They wanted to let everyone know that they had had a breach, even if their data wasn’t involved? They advised me to be vigilant for signs of fraud and to login to the site to change my password even though they had no record of any account for me? Why worry me that way? By now, I was more irritated than confused. I tried again:
So was my info accessed by the hacker(s) or not?
We would be better able to assist you if we had the email address associated with your account. Or, you’re welcome to call us at 1-877-809-1659 between 9am-6pm, EST. Monday-Saturday or contact the outside company we have hired to assist our customers with this – 855-347-6551 or 844-386-9557.
I guess I’ll give them a call because after their delayed notification and follow-up, I now have no idea if my data were in a breach or not. And that’s not the way notification is supposed to work.