CafePress Data Breach: Owner Agrees to Feds' Settlement22 Million Accounts Breached Owing to Multiple Security Failures, Regulator Says
Does your organization store Social Security numbers and security questions in clear text? Does it fail to use "reasonable measures" to safeguard passwords? Has it "failed to implement a process for receiving and addressing security vulnerability reports from third-party researchers, academics, or other members of the public"?
Those are just three of the information security shortcomings cited by the U.S. Federal Trade Commission in a draft settlement agreement it announced this week with CafePress, a website that allows independent "shopkeepers" to sell a range of user-customizable products, including T-shirts and coffee mugs.
The FTC says that owing to a multitude of poor security practices, the CafePress site was breached by attackers multiple times. In these breaches, attackers stole account details and personal information for approximately 22 million users.
"CafePress recently discovered that an unidentified third party obtained customer information, without authorization, that was contained in a CafePress database," the company said in a Sept. 5, 2019, data breach notification on its websites. "Based on our investigation to date, this may have occurred on or about Feb. 19."
The breach triggered investigations not just by the FTC, but also by multiple state attorneys general. It also sparked a lawsuit, filed in U.S. District Court in Illinois, seeking class action status (see: Hacked Off: Lawsuit Alleges CafePress Used Poor Security). But that lawsuit was dismissed in 2020.
When the data breach occurred, CafePress was owned by Respondent Residual Pumpkin Entity, based in Louisville, Kentucky. On Sept. 1, 2020, most of CafePress' assets were sold to PlanetArt, based in Calabasas, California, which changed its name to Residual Pumpkin Entity.
In a comment about the FTC's settlement, PlanetArt tells Information Security Media Group: "The data breach occurred well before PlanetArt bought the CafePress brand, and happened under the technology leadership of the brand's prior owner. PlanetArt was happy to agree to the FTC's request that PlanetArt also become obligated to the FTC's settlement with the prior owner, as it comports with the priority PlanetArt has always placed on cybersecurity specifically and, more generally, on consumer protection."
As part of the proposed settlement, CafePress' former owner would also pay a fine of $500,000.
Multiple Security Failures Cited by FTC
The FTC says the company's list of standard email responses to common security questions included this statement: "CafePress.com also pledges to use the best and most accepted methods and technologies to [ensure] your personal information is safe and secure."
But according to the FTC's complaint, those claims were not true. Indeed, "among other things," the settlement details numerous poor data security practices, including the company regularly failing to comply with its own security policies.
In addition, the FTC says Residual Pumpkin "failed to implement readily-available protections, including many low-cost protections, against well-known and reasonably foreseeable vulnerabilities," such as SQL, CSS and HTML infection attacks, as well as cross-site scripting - aka XSS - and cross-site request forgery attacks.
The company also stored personal information, including Social Security tax identification numbers, in clear text.
For hashing passwords, the company used the SHA-1 hashing algorithm, which the U.S. National Institute of Standards and Technology deprecated in 2011, and which security experts have been warning for years is not fit for use with passwords. In addition, Residual Pumpkin failed to salt the passwords, which means to random data that would have made them more difficult to identify via a rainbow table or to brute-force crack.
The FTC says Residual Pumpkin also failed to:
- Require strong passwords;
- Delete unneeded user data in a timely manner;
- Implement "reasonable procedures to prevent, detect, or investigate an intrusion," such as robust logging and monitoring;
- Disclose security incidents in a timely manner;
- Investigate malware outbreaks;
- Sufficiently lock down accounts after attackers had taken them over.
Follows Settlement With States
Residual Pumpkin already agreed to a settlement over the data breach with the attorneys general of Connecticut, Indiana, Kentucky, Michigan, New Jersey, New York and Oregon.
On Dec. 18, 2020, New York Attorney General Letitia James announced that Residual Pumpkin had agreed to pay a $2 million fine for multiple cybersecurity failures. The actual amount paid by Residual Pumpkin was $750,000, divided among states with affected residents, and the remainder of the settlement was "suspended based on the company's financial condition," according to the New York attorney general's office.
As part of the settlement agreement, Residual Pumpkin pledged to make numerous information security improvements.
Data Breach Timeline
One of the shortcomings detailed by the FTC was a failure by Residual Pumpkin to investigate suspected intrusions in a timely manner, even though it had been suffering multiple malware outbreaks and account takeovers.
Here's a timeline of the data breach and how Residual Pumpkin responded, as detailed by the New York attorney general's office and the FTC:
- Feb. 19, 2019: An attacker stole customer and seller data for about 22 million accounts, including 186,179 Social Security or tax identification numbers.
- March 11, 2019: Residual Pumpkin received a warning from a security researcher stating that he "believe[s] hackers have access to your customer [database]. The data is currently for sale in certain circles." The researcher demonstrated how a SQL vulnerability in a CafePress database could be exploited.
- March 12, 2019: Residual Pumpkin confirmed the vulnerability.
- March 13, 2019: After reviewing only two weeks' worth of logs, Residual Pumpkin found no evidence of a breach, but patched the affected system.
- March 13, 2019: Residual Pumpkin investigated a spike in orders suspected to be fraudulent and concluded that they traced to someone "testing ou[t] stolen credit cards," according to the FTC.
- April 4, 2019: CafePress reset the passwords of all accounts, requiring users logging in from that date forward to pick a new password.
- April 10, 2019: "Residual Pumpkin received an email from a foreign government with an attached letter stating that a hacker had illegally obtained access to CafePress user account information from January 2014 to January 2019," the FTC says. "The email included an attachment with CafePress account logins and passwords and said the hacker had sold the information to a large number of 'carders.'" It also requested that Residual Pumpkin immediately notify all affected users, not least so they could take steps to protect themselves.
- July 13, 2019: Social media posts claimed that a large quantity of customer data had been stolen from CafePress and was being offered for sale on cybercrime markets.
- Aug. 3, 2019: Social media posts containing passwords allegedly recovered from the CafePress data breach began to appear.
- Aug. 4, 2019: The free breach notification service Have I Been Pwned added the email addresses of everyone affected by the breach, thus notifying them directly that their details had been exposed.
- Sept. 4, 2019: Residual Pumpkin began to notify affected CafePress users and offered victims whose Social Security or tax identification numbers had been exposed two years of prepaid identity theft and credit monitoring.
Post-Breach Problems Continued
The FTC says Residual Pumpkin didn't launch a full investigation into the breach until September 2019, when "an identity thief or thieves used personal information belonging to three Residual Pumpkin employees to try to change the employees' payroll direct deposit information." It was the third such incident that year, following similar attempts in April and May, the FTC says.
It also says Residual Pumpkin didn't completely fix problems tied to the CafePress data breach until later. Notably, "Residual Pumpkin continued to allow passwords to be reset through Residual Pumpkin's website simply by answering a security question associated with an email address," the FTC says. But this precise information had been stolen by the attacker and was being offered for sale.
This shortcoming was only remedied around Nov. 19, 2019, when Residual Pumpkin began to verify that anyone attempting to log into an account to change the password also controlled the associated email address.
On the privacy and data minimization front, Residual Pumpkin in November 2019 began to delete data it had stored on users, in response to requests from residents of the European Economic Area and Switzerland, the FTC says. Since June 19, 2018, Residual Pumpkin had claimed to delete such data upon request, but the FTC said it instead deactivated accounts and had been keeping the data. As a result, many individuals who had requested - prior to the breach - that their personal information be deleted, still had their personal information exposed in the breach.
The FTC says Residual Pumpkin deactivated CafePress accounts for shopkeepers that it believed had been hacked but charged them a $25 closure fee. The regulator said this amounted to "an unfair act or practice" and was one of the multiple shortcomings it detailed leading to its complaint and seeking that Residual Pumpkin not only overhaul its security practices, but also pay a fine.