We've, um, changed our password policy, says CafePress amid reports of 23m pwned accounts

Twee T-shirts 'n' merch purveyor CafePress had 23 million user records swiped – reportedly back in February – and this morning triggered a mass password reset, calling it a change in internal policy.

Details of the security breach emerged when infosec researcher Troy Hunt's Have I Been Pwned service – which lists websites known to have been hacked, allowing people to check if their information has been stolen – began firing out emails to affected people in the small hours of this morning.

According to HIBP, a grand total of 23,205,290 CafePress customers' data was swiped by miscreants, including email addresses, names, phone numbers, and physical addresses.

We have asked CafePress to explain itself and will update this article if the company responds. There was no indication on its UK or US websites at the time of writing to indicate that the firm had acknowledged any breach.

New breach: CafePress had 23M unique email addresses breached in February. Some records also contained names, physical addresses and phone numbers. 77% were already in @haveibeenpwned https://t.co/hv1u9SEsMR

— Have I Been Pwned (@haveibeenpwned) August 5, 2019

Darren Pauli, late of this parish, was affected and discovered this screen when he logged into CafePress to change his password:

Pretty disingenuous of CafePress to mask a data breach of names, mobiles, and street addresses under a password policy update. pic.twitter.com/t7RUt6pRKH

— darren (@darrenpauli) August 5, 2019

He told El Reg: "I went to log into CafePress to see if they had my current street address and it threw that 'change password' page. No sign anywhere on the homepage or login of the breach – which Hunt puts as February this year – and no email in my inbox from them to notify me."

CafePress had not contacted him proactively, he said.

Professor Alan Woodward of the University of Surrey opined that the breach must have been "as big a surprise to them as to their customers", while wondering whether, given the evident lack of response so far from CafePress, whether the attackers had merely made off with 24 million people's data or had left "something still in there phoning home".

Musing on the 77 per cent of email addresses from the breach having been seen in previous HIBP reports, Woodward said that factoid "brings me to a problem that isn't being discussed that much, and which this kind of breach does highlight: the use of email as the user name. It's clearly meant to make life easier for users, but the trouble is once hackers know an email has been used as a username in one place it is instantly useful for mounting credential-stuffing attacks elsewhere."

"I wonder," he told The Register, "if we shouldn't be using unique usernames and passwords for each site. However, it would mean that it becomes doubly difficult to keep track of your credentials, especially if you're using different strong passwords for each site, which I hope they are. But all users need do is start using a password manager, which I really wish they would."

The standard post-breach advice is to change your passwords, especially any on sites where you have reused those credentials (which you shouldn't do, by the way), keep extra vigilant for any signs of login attempts or password resets that you didn't initiate, and stay vigilant for any phishing attempts. ®