back to article Add passwords to list of stuff CafePress made hash of storing, says infoseccer. 11m+ who used Facebook 'n' pals to sign in were lucky

Passwords were among the 23 million customer records siphoned from CafePress by hackers – and the site was using the less secure SHA-1 hashing algorithm to store half of its users' credentials. As El Reg and the rest of the security-focused media reported yesterday, CafePress had around 23 million customer records exfiltrated …

  1. Pascal Monett Silver badge
    Coat

    One of these days . . . ONE of these days

    Companies that are sloppy with their customer's private data will get it. Right . In. The. Kisser.

    But not today.

  2. Anonymous Coward
    Anonymous Coward

    How have they not commented?

    This kind of seems like a thing that the very second you here about it, you publically say... I'M ON IT!! Waiting until you have to say "We've been working on how to address this." is the plan for the cowardly (and most certainly shady) types of companies. Seems nuts to say nothing, which says a lot about your company.

    And the part about the hex codes SHA's, maybe they weren't about to migrate, maybe they already did!!

    1. John Brown (no body) Silver badge

      Re: How have they not commented?

      "And the part about the hex codes SHA's, maybe they weren't about to migrate, maybe they already did!!"

      I was thinking "at least it wasn't ROT13", but in light of your comment, maybe that's what they upgraded from!!

  3. I.Geller Bronze badge

    AI password is absolutely unique, dynamically changes/ is a part of blockchain/ securely saved in many ledgers, can be a few thousand records long.

    1. John Brown (no body) Silver badge

      I can't quite decide if you are an agile DevOp or an MBA with a geeks dictionary.

      1. Solarflare

        Or if he has an easily guessable password and amanfrommars logged in to his account :)

        1. I.Geller Bronze badge

          Impossible, AI is a blockchain technology.

        2. Is It Me

          Judging form other comments I would say a cousin of a man from mars

          1. I.Geller Bronze badge

            14. The computer system of claim 9 in which said facility configured to extract predicative phrases is further configured to assign to the subtexts information regarding the date of their origin.

          2. TimMaher Silver badge

            Or a man from Uranus?

            Bit further away.

            1. I.Geller Bronze badge

              Study Philosophy! If SQL came from External theory try Internal.

  4. teknopaul

    jus sayin

    "passwords exposed encoded in base64 SHA-1, which is a very weak encryption method to use"

    Hashing is not encryption. No one with strong passwords had them "exposed".

    If there are duplicates probably dictionary attacks are possible against weak passwords. Not good if you use the same weak password everywhere.

    SHA1 is not recommended because you can find collisions, not because its "weak encryption".

    Even MD5 keeps stong passwords secure. You can create a collision in seconds. But that does not expose any passwords.

    1. Claptrap314 Silver badge

      Re: jus sayin

      To are technically correct.

      And entirely wrong in practice.

      If your password is "29bAjwqsG3ikbqHqu9F8gg", and "1111111" hashes to the same thing as "29bAjwqsG3ikbqHqu9F8gg", then you have two functional passwords. If I find either, you lose.

      As it happens, the definition of a weak hash is one that it is easy to find values to meet any particular hash. So while perhaps "1111111" does NOT hash to the same thing, I can take the (salted) hash of your password, and FIND that "Pv1po81mVHH8+YrBOC8FNgZqRckT111sITatDm0ObuVw" does hash to the same thing, with a relatively limited effort.

      1. Amentheist

        Re: jus sayin

        He is wrong in the sense that hashing is fast and intended to be used to generate a digest so it's also fast to bruteforce while stuff like bcrypt are geared towards password storage and 'slower' to calculate

      2. teknopaul

        Re: jus sayin

        Re "you lose". You dont loose much. If hackers find a collision and that will (might) get them logged into cafepress as you, and can see your mug purchasing history. Perhaps siphon off a bit more personal info than they got in the first hack.

        My point is hacker has not found the users original password you have found a different password that will do (for entering cafepress through the front door). Passwords are only *exposed* if they are weak and subject to dictionary attacks. Password is not there for the decrypting. Data is lost when you hash. Just saying hashing is not encryption, and passwords are not exposed by finding collisions.

      3. teknopaul

        Re: jus sayin

        Its still right in practice. Sha1 is not easy to find collisions, one has been found ever. It cost Google a huge amount to find it.

        It is unlikely that someone spends that amount money to find another collision for the purpose of entering cafepress.com as someone else. Practically password hashing with sha1 is still safe in 2019 for most use cases.

        It will never get past a security audit tho because knowlegable infosec bods will direct you to shattered.io and tell you "sha1 is broken".

        Another practical problem with sha1 collisions is that if you do spend $100,000 on finding a collision chances are you dont get a valid unicode string that passes input validation.

        Dictionary attacks are a different story.

    2. diodesign (Written by Reg staff) Silver badge

      Re: tedious pedant

      "Hashing is not encryption"

      Hashing is one-way encryption.

      C.

  5. Anonymous Coward
    Anonymous Coward

    I am shocked, shocked I tell you!

  6. Captain Scarlet Silver badge

    Apparently my CafePress account is gone

    Wasn't able to reset the account (I did receive the pwned note from Troy), to be fair I havent used CafePress in something like 15 years so unsure how old this data is.

    1. Tech Hippy

      Re: Apparently my CafePress account is gone

      Similar situation for me: Account included in breach notifications, but my last interaction with them was in August 2010. I have no account according to their "forgot password" page.

      I raised a ticket, and CafePress helpdesk tell me my account was 'archived due to inactivity' in Jan 2019, although their 2017 user agreement says accounts will be suspended for inactivity more than 12 months (rather than over 8 years). Of course once your account is archived there is no self-service way to delete it..

      Unfortunately failed to address my questions on why they were still holding my data, or what GDPR compliance is in place.

      I've just got back to them to exercise my 'right to be forgotten' - a bit late but better to clean up my old data with them whilst they are under focus.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like