Add passwords to list of stuff CafePress made hash of storing, says infoseccer. 11m+ who used Facebook 'n' pals to sign in were lucky

11m other leaked users' p-words hashed with SHA-1


Passwords were among the 23 million customer records siphoned from CafePress by hackers – and the site was using the less secure SHA-1 hashing algorithm to store half of its users' credentials.

As El Reg and the rest of the security-focused media reported yesterday, CafePress had around 23 million customer records exfiltrated from its systems back in February.

That data theft came to light yesterday after Troy Hunt, operator of the Have I Been Pwned hack-tracking website, learned that the hack had taken place and that millions of peoples' credentials were circulating on hacker forums.

Infosec researcher Jim Scott told The Register that he found the swiped info after rumours of it reached Troy Hunt's ears in mid-July. The stolen data included email addresses, names, phone numbers, and physical addresses – and, as it now turns out, passwords, too.

Scott told The Register: "Out of the 23 million compromised users, roughly half of them had their passwords exposed encoded in base64 SHA-1, which is a very weak [one-way] encryption method to use, especially in 2019 when better alternatives are available."

Hunt, meanwhile, mused that he'd seen both "a heap of identical base64 encoded 'passwords'" and then "some SHA-1 versions stored in hex then base64 encoded", leading one infoseccer to speculate that a planned migration had been taking place, although CafePress has not commented on this, nor on the database heist at all.

As for people affected by CafePress, Scott offered some comfort to those who logged in via third-party providers.

"The remaining users who used CafePress through third-party applications, such as FaceBook or Amazon, had no compromised passwords," he said, adding: "It is very disappointing and frustrating to see when companies are unable to protect their users' information when the necessary approach for better protection is available. And when an incident like this occurs, it is often the user who has to pay the price for other people's mistakes."

He encouraged people to use multi-factor authentication, to which El Reg adds the standard advice to also use a password manager. If nothing else, it makes identifying and changing your passwords after a cyber-break-in just that little bit easier – but good ones will also allow the generation of unique and, hopefully, hard-to-guess login credentials. ®

Similar topics

Broader topics


Other stories you might like

  • There are 24.6 billion pairs of credentials for sale on dark web
    Plus: Citrix ASM has some really bad bugs, and more

    In brief More than half of the 24.6 billion stolen credential pairs available for sale on the dark web were exposed in the past year, the Digital Shadows Research Team has found.

    Data recorded from last year reflected a 64 percent increase over 2020's total (Digital Shadows publishes the data every two years), which is a significant slowdown compared to the two years preceding 2020. Between 2018 and the year the pandemic broke out, the number of credentials for sale shot up by 300 percent, the report said. 

    Of the 24.6 billion credentials for sale, 6.7 billion of the pairs are unique, an increase of 1.7 billion over two years. This represents a 34 percent increase from 2020.

    Continue reading
  • Elasticsearch server with no password or encryption leaks a million records
    POS and online ordering vendor StoreHub offered free Asian info takeaways

    Researchers at security product recommendation service Safety Detectives claim they’ve found almost a million customer records wide open on an Elasticsearch server run by Malaysian point-of-sale software vendor StoreHub.

    Safety Detectives’ report states it found a StoreHub sever that stored unencrypted data and was not password protected. The security company’s researchers were therefore able to waltz in and access 1.7 billion records describing the affairs of nearly a million people, in a trove totalling over a terabyte.

    StoreHub’s wares offer point of sale and online ordering, and the vendor therefore stores data about businesses that run its product and individual buyers’ activities.

    Continue reading
  • Verizon: Ransomware sees biggest jump in five years
    We're only here for DBIRs

    The cybersecurity landscape continues to expand and evolve rapidly, fueled in large part by the cat-and-mouse game between miscreants trying to get into corporate IT environments and those hired by enterprises and security vendors to keep them out.

    Despite all that, Verizon's annual security breach report is again showing that there are constants in the field, including that ransomware continues to be a fast-growing threat and that the "human element" still plays a central role in most security breaches, whether it's through social engineering, bad decisions, or similar.

    According to the US carrier's 2022 Data Breach Investigations Report (DBIR) released this week [PDF], ransomware accounted for 25 percent of the observed security incidents that occurred between November 1, 2020, and October 31, 2021, and was present in 70 percent of all malware infections. Ransomware outbreaks increased 13 percent year-over-year, a larger increase than the previous five years combined.

    Continue reading
  • Millions of people's info stolen from MGM Resorts dumped on Telegram for free
    Meanwhile, Twitter coughs up $150m after using account security contact details for advertising

    Miscreants have dumped on Telegram more than 142 million customer records stolen from MGM Resorts, exposing names, postal and email addresses, phone numbers, and dates of birth for any would-be identity thief.

    The vpnMentor research team stumbled upon the files, which totaled 8.7 GB of data, on the messaging platform earlier this week, and noted that they "assume at least 30 million people had some of their data leaked." MGM Resorts, a hotel and casino chain, did not respond to The Register's request for comment.

    The researchers reckon this information is linked to the theft of millions of guest records, which included the details of Twitter's Jack Dorsey and pop star Justin Bieber, from MGM Resorts in 2019 that was subsequently distributed via underground forums.

    Continue reading

Biting the hand that feeds IT © 1998–2022