back to article Several months after the fact, CafePress finally acknowledges huge data theft to its customers

T-shirt flogger CafePress has finally informed its customers about a serious data loss dating back to February and first reported last month. Several CafePress punters told us they had received an email this morning warning them the company had lost customer names, emails, physical addresses, phone numbers and unencrypted …

  1. tekHedd

    Base64!

    So glad my password was protected not just by SHA1, but also the industry standard additional protection of base64 encoding. Whew, I was worried there for a second. So glad they clarified that, I feel safer now.

    1. Dwarf

      Re: Base64!

      Don't worry, they have upgraded. Probably they added a layer of ROT13.

      Now its absolutely secure, honest. Dave the cleaner said it was bullet proof.

      Makes you wonder what sort of security governance some of these companies rely on..

      1. fidodogbreath

        Re: Base64!

        Plus, before ROT13 encoding they salted all the passwords by appending "...in bed". So, it's basically uncrackable.

        1. Christoph

          Re: Base64!

          And then applied a Caesar cypher. If it was good enough for him ...

      2. Anonymous Coward
        Anonymous Coward

        So close, but you missed the obligatory follow-through on that one

        > "Probably they added a layer of ROT13."

        ...and ran it twice, just to be sure.

      3. Tom Paine

        Re: Base64!

        Governance? They HAVEN'T heard of it.

    2. Anonymous Coward
      Anonymous Coward

      Re: Base64!

      If you're storing hashes in a text database, you're going to have to encode them with something, whether ascii, hex, or base64. etc.

      Using base64 instead of the more usual hex means nothing either way.

  2. Pascal Monett Silver badge
    Flame

    "Dear Valued Customer"

    Not valued enough, however, to bother encrypting your passwords, or implementing network traffic awareness tools, or just locking down our fucking database in the first place.

    But you are valued, until you give us your money, that is.

  3. sitta_europea Silver badge

    If you're worried that your personal details have been compromised, here's a link to the Equifax Website...

  4. hi_robb
    FAIL

    Here's a product idea for them.

    I visited this site to shop securely, but all I got was this lousy t-shirt.

    1. Teiwaz

      Re: Here's a product idea for them.

      Here's a product idea for them.

      I visited this site to shop securely, but all I got was this lousy t-shirt.

      I suggest an addendum to that, perhaps for the back

      "..but three other people attempted to buy expensive shoes on my credit card"

    2. Anonymous Coward
      Anonymous Coward

      Re: Here's a product idea for them.

      I ordered one with your name, address and password on it. It's remarkably practical. Oh, and thanks for paying for it!

  5. Eric Kimminau TREG

    And this, dear friends, is why you NEVER allow a database to be directly accessible from the internet.

    You should pass through a firewall and ONLY allow the hosts that must connect to the database connect on the specific port required for the application.

    This does not prevent the application server from getting hacked and then snarfing the data via the approved firewall rule. Especially since most developers are lazy and code the userid and password in their code.

    1. Anonymous Coward
      Anonymous Coward

      OK Captain Obvious - tell us again about rudimentary security processes; I could be a full fledged security consultant now just by repeating what you wrote again and again to companies with a clause in my contract stating that if they fail to implement my recommendations, I would get an automatic year's credit monitoring.......

      1. TonyJ

        "...OK Captain Obvious - tell us again about rudimentary security processes; I could be a full fledged security consultant now just by repeating what you wrote again and again to companies with a clause in my contract stating that if they fail to implement my recommendations, I would get an automatic year's credit monitoring......."

        So fucking obvious, yet how many companies breach even the basic rules of security? How often do we read about hard coded passwords, unencryped databases, apparently enterprise-grade applications/backends that have default crappy passwords left alone, database servers that aren't just left connected to the net, but also copies of them left unencrypted and forgotten about? How many times have lazy and/or incompetent devs left things like certificates and keys in their code or on cloud servers there for all to see?

        Yeah it might seem obvious but fuck me if too many people can't see the woods for the trees.

        It's time the ICO et al stopped pissing about and fined the company directors directly. It will do wonders for focussing their minds.

  6. Korev Silver badge
    Thumb Down

    Europe

    >The company said it is working with US law enforcement and has notified UK and European regulators.

    Britain is in Europe and will remain so even if Brexit happens...

  7. Uplink

    Don't roll your own security

    "why passwords were not properly encrypted" - because nobody checked the code, and they rolled their own security module?

    The security module developer might as well have been a contractor too, and then the motto of "it it ain't broke don't fix it" was applied. I mean, it was working, right? No need to look into it to see how it does it - no time for opening cans of worms.

    This usually involves using a framework that provides pretty much all the scaffolding you need and lets you focus on your business logic. Don't roll your own framework either.

  8. Captain Scarlet

    Had the email

    Still can't reset my password as my accounts archived or something

  9. Anonymous Coward
    Anonymous Coward

    Also received the mail, but I've not traded with them since 2013, and account can't be recovered.

  10. Dave Bell

    There may be worse lurking.

    I don't recall ever having an account there, but I got today's warning. It includes a mention of the dangers of using the same password with multiple accounts.

    It's possible that it is one of those sites that lets you log in with a Twitter account, or Facebook, or Google. I am not inclined to go and check. It seems very obvious that, while there are advantages in tracking what people look at, and a cookie should be enough for that, they don't need a full account until somebody wants to buy something.

    Twitter doesn't have payment data, but Google does. I'm not a Facebook user. The way that internet operations in the USA are sharing data is worrying. The way some of them refuse to accept connections from Europe suggests they's not even trying toi keep personal data safe and secure.

    What can we do to be safe?

  11. Anonymous Coward
    Anonymous Coward

    STILL TELLING PEOPLE

    I didn't get the original email, but I got one today, a healthy 8 months after the fact.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon