Can online retailer keep your personal information secure?

On March 17, 2022, CafePress’ past owner was fined $500,000 for security problems.

What is CafePress?

CafePress is an online retail store that allows customers to create their own products, like custom T-shirts, bags, mugs and other merchandise.

‘Shoddy’ Security

The Federal Trade Commission(FTC) claims that CafePress stored the customers’ information in readable text, kept their data longer than necessary and did not repair known system vulnerabilities. CafePress was hacked and more than 23 million accounts compromised in November 2018. After a year, CafePress was hacked again. An attacker was able to access the data and obtain user private information with weak encryption. This major security incident caused millions of CafePress users’ privacy disclosure that included email addresses, passwords, physical addresses, names, security questions and answers, phone numbers, tens of thousands of card payment information and over 180,000 unencrypted social security numbers.

Secure algorithms

Since 23 million customer records were siphoned from CafePress by hackers in November 2018. CafePress was using the SHA-1 to store the users personal information.

What is SHA-1?

SHA-1 (Secure Hash Algorithm 1) is a cryptographic hash function designed by the National Security Agency and published by the National Institute of Standards and Technology (NIST) as a Federal Data Processing Standard (FIPS). The main purpose of SHA-1 is to take input and create a 160-bit (20-byte) hash value. But during 2005, cryptanalysts have found an effective attack on SHA-1, suggesting the algorithm may not be secure enough to continue to be used, also where google, microsoft and other browser companies claim to refuse to accept SHA-1 web encrypt digital certificates.

Conclusion  

In my opinion, an outdated and unsecured encryption method is more dangerous than no encryption method, because people will be more careful on sites without an encrypted certificate, or decide to avoid using it. But to a site with encrypted digital certificates people would consider it is safe to browse, and to thrust the personal information entered are well protected. An outdated and unsecured encryption method has posed a potential threat to user privacy information. This could cost more trouble, where some time is hard to prevent a data leak that is not from your end.

Sources:

https://www.zdnet.com/article/cafepress-fined-500-million-for-shoddy-security-covering-up-data-breach/

https://it.slashdot.org/story/22/03/20/2351231/cafepresss-previous-owner-fined-500000-for-shoddy-security-covering-up-data-breach

https://www.forbes.com/sites/daveywinder/2019/08/05/cafepress-hacked-23m-accounts-compromised-is-yours-one-of-them/?sh=66a2d027407e

https://en.wikipedia.org/wiki/SHA-1

https://www.ftc.gov/news-events/news/press-releases/2022/03/ftc-takes-action-against-cafepress-data-breach-cover

https://www.theregister.com/2019/08/06/cafepress_hack_passwords_stolen/

Join the Conversation

84 Comments

  1. Interesting post. It makes sense that eventually a well known hash function would be broken at some point. If the binary operations it performs are too predictable, it would be possible to find hashed information. Or if there is a collision, which is probably what happened since it only returns 160bits, hackers don’t even need the correct information. The collision makes two possible inputs valid.

  2. Good post. It’s good to see that action is being taken against people who fail to handle their users information with care, even if the action is as harsh as a $500,000 fine. Hopefully this serves as motivation for those who still use old encryption algorithms that have been declared insecure like SHA-1 in their software to update to something that hasn’t yet been cracked, so that their customers can use their services safely and without worry of having their sensitive data exposed in a leak.

  3. Interesting post. It is odd that a company would do something this lazy when their actions could (and did) compromise millions of its customers’ information. Hopefully, this serves as a valuable lesson, but I feel that the government should make these kinds of negligent decisions face a list of clear punishments. A fine of $500,000 won’t solve the problem, in my opinion, especially when the owner may have a lot of money still. More serious punishments should be stated to deter this kind of negligence, especially since this is not the first time this company was hacked.

  4. Interesting post. It is odd that a company would do something this lazy when their actions could (and did) compromise millions of its customers’ information. Hopefully, this serves as a valuable lesson, but I feel that the government should make these kinds of negligent decisions face a list of clear punishments. A fine of $500,000 won’t solve the problem, in my opinion, especially when the owner may have a lot of money still. More serious punishments should be stated to deter this kind of negligence, especially since this is not the first time this company was hacked.

  5. Interesting post. It is odd that a company would do something this lazy when their actions could (and did) compromise millions of its customers’ information. Hopefully, this serves as a valuable lesson, but I feel that the government should make these kinds of negligent decisions face a list of clear punishments. A fine of $500,000 won’t solve the problem, in my opinion, especially when the owner may have a lot of money still. More serious punishments should be stated to deter this kind of negligence, especially since this is not the first time this company was hacked.

  6. Interesting post. It is odd that a company would do something this lazy when their actions could (and did) compromise millions of its customers’ information. Hopefully, this serves as a valuable lesson, but I feel that the government should make these kinds of negligent decisions face a list of clear punishments. A fine of $500,000 won’t solve the problem, in my opinion, especially when the owner may have a lot of money still. More serious punishments should be stated to deter this kind of negligence, especially since this is not the first time this company was hacked.

  7. Interesting post. It is odd that a company would do something this lazy when their actions could (and did) compromise millions of its customers’ information. Hopefully, this serves as a valuable lesson, but I feel that the government should make these kinds of negligent decisions face a list of clear punishments. A fine of $500,000 won’t solve the problem, in my opinion, especially when the owner may have a lot of money still. More serious punishments should be stated to deter this kind of negligence, especially since this is not the first time this company was hacked.

  8. Interesting post. It is odd that a company would do something this lazy when their actions could (and did) compromise millions of its customers’ information. Hopefully, this serves as a valuable lesson, but I feel that the government should make these kinds of negligent decisions face a list of clear punishments. A fine of $500,000 won’t solve the problem, in my opinion, especially when the owner may have a lot of money still. More serious punishments should be stated to deter this kind of negligence, especially since this is not the first time this company was hacked.

  9. Interesting post. It is odd that a company would do something this lazy when their actions could (and did) compromise millions of its customers’ information. Hopefully, this serves as a valuable lesson, but I feel that the government should make these kinds of negligent decisions face a list of clear punishments. A fine of $500,000 won’t solve the problem, in my opinion, especially when the owner may have a lot of money still. More serious punishments should be stated to deter this kind of negligence, especially since this is not the first time this company was hacked.

  10. It’s unfortunate that these companies can be lazy in safeguarding user information. While it’s great that the company was fined, ultimately, it’s a slap in the wrist for the corporation, while affected users could potentially have their lives ruined with the amount of information leaked. With access to internet essentially being a human right in today’s world, perhaps in the future we could see “Privacy inspections” being as common place as “Food Inspections” in order to safe guard user info.

  11. Great post! Considering life is slowly going back to normal, people are still used to shopping stuff online. I personally barely shop online but when I do, I always make sure my privacy is not being compromised. I think that is the first thing all of us should at least do after reading so many news articles about getting hacked. In my opinion it was CafePress’s mistake that they continued to use an old security system. They clearly did not want to invest in keeping their user’s data secure. Unfortunately, innocent people were targeted and they ended up with their personal data out in the public. I think the respected authorities should take some sort of action against the company and make sure this never happens again.

  12. In the world of online retailing we seem to find ourselves signing up for another retail service every month or so, all with varying levels of security. But sadly as an end user you probably have no idea what how the security is up until the point where you find your login details on a pastebin somewhere.

    It’s quite shameful to see a company still using SHA-1 when SHA-2 and even 3 have been out for a while. I believe there’s a guide on how to transition from SHA-1 to 2 as well so this incident seems to be mostly from neglect. I wonder if the owners are reconsidering their actions after getting fined for a half a million dollars.

  13. Great post! It’s pretty scary to know that your private information is easily accessible due to a weak encryption. But since this hash function was well known it was bound to have weaknesses, considering that this has function appeared to be outdated due to its lack of security there. I’m overall shocked that this company decided to choose this hash function to store user’s personal information.

  14. A concise article. It seems CafePress out of pure negligence facilitated the attack on their systems and records. It doesn’t make sense that a service supporting over 20 million accounts made such a simple mistake as storing sensitive data in plaintext. It really makes you wonder what was happening behind the scenes over there. I hope CafePress learned their lesson and take measures to ensure better cybersecurity.

  15. Good article! CafePress used an old security system to save money, which resulted in millions of users having their information compromised. Happily, the company is also being punished for its laziness. People’s life now depends more and more on the Internet, whether shopping or work, the Internet has become an indispensable part of people’s life. Therefore, companies should do a good job in protecting user information. I hope CafePress learns from this.

  16. Hate to see it honestly, as online retailers can offer people products locally without the use of big megaretailers like Amazon, but if online retailers that are on the smaller scale cannot keep our data secured then it makes sense to maybe sign up with Amazon or shopify that may not support local businesses but their cybersecurity is decent. Also about the claim that cafepress stored sensitive data in readable text reminds me of when on a Missouri State agency’s website social security numbers were stored in the html, its crazy how data can be leaked because people who make the sites are not implementing good cybersecurity practices.

    1. I understand your view on this but I think we should definitely help the smaller businesses learn about how to protect customer data. I also think we should always try to provide the least bit of information when buying online. Instead of paying with a card directly I can send some money to PayPal and make my purchase using PayPal. It adds a wall of security I guess, because like you said bigger companies know how to protect their data.

  17. Great Post! I have always had doubts about sites like CafePress being not as secure as they should be. It is totally the most important part of any online business to use more secure hash functions and security systems. Since most of the online shopping sites require address and personal information like phone number, credit card number, it is necessary for the sites to have security.

  18. An informative and interesting post. I’m glad to hear that legal action is taken against companies that are obviously not doing enough to keep users data secure. Since these issues with SHA-1 have been around for a while it is confusing to think why someone would implement it for private information. It also is a shame that as pointed out in the post, people are going to think the site is safe because there is some encryption but not realize the dangers of the hash function used. Stories like these make me hesitant to use online retailers.

  19. This is an excellent article! People are still used to shopping online, despite the fact that life is slowly returning to normal. I rarely shop online, but when I do, I make certain that my privacy is not jeopardised. After reading so many news items about being hacked, I believe that is the first thing we should all do. CafePress made a mistake by continuing to use an outdated security method, in my opinion. They evidently did not want to invest in the security of their users’ information. Unfortunately, innocent people were targeted, and their personal information was made public. I believe the appropriate authorities should take action against the corporation and ensure that this never happens again.

  20. I can’t say I’m surprised by news like this. People use dozens of online platforms now and almost all of them store emails and full names, and of course the relevant login credentials. An online shopping platform like this likely also stores shipping and billing addresses, and potentially even payment methods. Government websites and large corporations’ platforms are for the most part expected to provide as much security as possible. If they don’t they are immediately subject to public scrutiny and tend to rectify issues immediately due to either reputational or financial costs. A smaller platform like this cutting corners on security is likely a more frequent event that most would be comfortable with.

  21. I think it is fairly well known that these online retailers are the reason for leaked passwords and personal information. Often, this data is sold by the online retailer, so it would not be beyond them to care whether or not this data is kept safe. A good way to keep safe is to use the bare minimum information, and to use passwords that you never use anywhere else.

  22. Great post! It’s sad to see how much faith people put into these e-commerce services. With the advent of Amazon, e-commerce has become mainstream and has been rebranded as a relatively secure way of accruing goods. Hackers can easily take advantage of our blind faith in the security of these sites, and less secure sites like the one that was in the article, to attack and steal important private information. It’s honestly surprising to me how CafePress wasn’t hacked earlier, especially with the outdated technology they were using

  23. Great post! It’s sad to see how much faith people put into these e-commerce services. With the advent of Amazon, e-commerce has become mainstream and has been rebranded as a relatively secure way of accruing goods. Hackers can easily take advantage of our blind faith in the security of these sites, and less secure sites like the one that was in the article, to attack and steal important private information. It’s honestly surprising to me how CafePress wasn’t hacked earlier, especially with the outdated technology they were using

  24. This is terrifying. The fact that so much info was stolen shows just how incompetent CafePress was with their security. What’s even more puzzling, is their continued use of SHA-1, something that was known to have vulnerabilities back in 2005! They had literal YEARS to update their security but decided not to for some unexplainable reason. I would hope that an online retailer, a service that stores credit card info, would take security incredibly seriously, large or small. I can’t even imagine that they wouldn’t have the resources to be able to upgrade to something like SHA-256. Though, I’m curious to see what their IT team looked like, or if they outsourced all their IT responsibilities to another company.

  25. As a prime example of lazy maintenance, it actually comes to show what happens when a company can’t evolve simultaneously with the current market and even technological advances. It’s very unfortunate that so many users previous and current were compromised to an attack that was inevitable. This brings up the question, why haven’t they updated their security protocol after all of these years? What’s going on behind the scenes corporate really shows the values that cafepress has a once renowned commerce site.

    Thanks for the read!

  26. Great post! It is apparent that CafePress failed to protect customer information, which can be attributed to an outright, lazy disposition. In my opinion, CafePress being hacked, was inevitable. They were aware of security vulnerabilities, and further failed to remedy these. It is exceedingly apparent that they failed to upgrade their security, despite knowing the risks for their users. Clearly, they should be investigated for failing to protect their customers and uphold adequate safety measures. I would not be surprised if they were outsourcing the creation of necessary safety infrastructure to another company or if their IT team was comprised of entirely unqualified individuals.

  27. Good post. It is surprising to see how a company became lazy and wasn’t able to protect its user information. It is shocking to see the amount of data that was stolen. They were aware of their weakness, they had years to work on it but they decided not to. It is good to see that CafePress is fined $500,000, but obviously it won’t make up for the innocent people whose data has been stolen.

  28. Hi, this was a great post! With online shopping being so expanded these days thanks to covid and many other reasons, it can lead to many other horrible incidents. It is scary how our personal informations could be leaked very easily and be used in horrible events. I can’t imagine what the victims of these incidents had to go thorugh, it sounded really horrible.

  29. Great Post! I still believe that some companies use user information and exploit them and sell them to third people or companies and risk the people’s life which is not ethical in any possible ways so I am happy to see actions being taken against them.

  30. This is an interesting article! In fact, I’ve always wondered about internet merchants and if our personal information is safe when we submit it. It’s strange that a company would be so careless when its actions might endanger the information of millions of its consumers. A possible threat to users’ private information has been posted by obsolete and insecure encryption technology. As a result, it is preferable to read the privacy statement first and use a credit card rather than a debit card.

  31. How intriguing. You’re definitely right that one may not even consider what type of encryption a site is using when their browser is telling them there is one being used. It’s definitely not something I would have pondered to check before this. The fact that they were using an algorithm proved faulty all the way back in 2005 is also very concerning as it simply shows negligence and complacency. The developers (and owners) of this site seem to have had little care for what occurred to their users and shoppers. Hopefully, if nothing else, this can be a lesson to us all about being more diligent in our web browsing habits, though I do hope it spurs other companies to take initiative and ensure their own encryption is up to snuff as well (if nothing else but to avoid a fine).

    1. In the world of business, it’s very important to keep the customer happy and one way to do that is to make sure their personal details do not get stolen.
      I completely agree with the fine on cafePress as they barely put in any effort to protect their customers, first they use an outdated encryption algorithm (that’s asking to get attacked). The worst part is even when they did get attacked they didn’t learn from their mistake and got hacked a year later.

  32. Interesting post! I’m not surprised that this sort of thing is happening, especially since theres always a level of ignorance that people have when it comes to retail site security. I find it best to go with more popular shopping sites for these sorts of things, though even then its not as secure as we may hope it should be

  33. Great post!
    Online shopping, online gaming, and overall internet use have increased as a result of the pandemic, resulting in an increase in cyberattacks. The ease with which our personal information might be exposed is worrisome. CafePress failed to protect their customers’ personal information due to a lack of security and carelessness. Hopefully, this incident will encourage other companies that still use SHA-1 or any insecure cryptographic hash functions to upgrade to more secure hash algorithms and security systems. This would allow their customers to use their services with confidence, knowing that their personal and sensitive information would not be exposed or leaked.

  34. Outdated encrypted methods that were used at least a couple of years from now has already been made vulnerable so definitely it would not be a suggestion to be used for security purposes. Since this incident is happening in a repeated pattern there possibly has not been a better encryption system that has been installed. It is unethical in the way that one’s own design, concept or even personal credentials are stolen and then distributed among others.

  35. Nice post! It is interesting that a company that deals with sensitive information like payment details would not store it in a secure place. It seems like the company was ignorant in terms of the vulnerabilies of this storage system. Consumers will most likely refrain from using their services in the future as a result of their poor security. Hopefully, the company pays attention to security experts and stores their information in a proper format and place.

  36. Hey, great post. It seems that the website does not learn from its errors. I thought it was best practice to update security and remove any data to prevent any future breaches, but clearly, that is not the case with CafePress. I think customers need to take an active role in boycotting companies that do not care about their users. This would send a clear message to other companies in hopes of tightening their security against online aggression and creating a safe environment for everyone involved. Finally, this lesson should be a cautionary tale for other companies to improve their security.

  37. Interesting post. I haven’t heard of CafePress before so I was pretty shocked to see how many people were using it when it got hacked. What’s even more shocking is the terrible encryption system that CafePress was using. The fact that 23 million people got hacked during that attack is more than enough evidence to show that their security was very weak. Stores and websites such as CafePress need to be more cautious with their cybersecurity because they have access to so much important information. If these types of companies are being lazy with their security, especially in the digital era we live in today, it is going to be a very big problem.

  38. Great post! It is clear that there has been a lack of diligence from caféPress when it came to updating their security protocols. It is astounding that a site with so many users would be so careless. I have read recent posts about how large companies have neglected their users’ privacy and it seems to be a trend. Their lack of concern for their customers makes it seem like they have little concern for their user base.

    It is good that companies like Microsoft and Google refuse to take SHA-1 web encrypt digital certificates but it is clearly not enough. Federal agencies need to be more strict when it comes to such things. Data leaks are no joke and losing your social security number is one of the worst breaches of privacy. That is why I recommend people using websites like “haveibeenpwned” to be more aware of whether they’ve been a victim of such leaks. Thanks for the informative post Zhengru.

  39. Hey, that was a really good post. It’s encouraging to learn that legal action has been taken against corporations that aren’t doing enough to protect their customers’ data. Since these SHA-1 flaws have been known for a long time, it’s difficult to imagine why someone would use it to protect private data. I believe CafePress made a big mistake by continuing to use an old security approach . They were unwilling to invest in the safety of their users’ data. As a result, using the bare minimum of information and passwords that you never use anywhere else is an excellent strategy to defend yourself from these assaults.

  40. Online retailers should not try to save money on security and privacy. Leaks can be catastrophic. Users’ personal privacy can have unimaginable consequences if it is used illegally. The retention period of information in Internet services should be regulated, otherwise this phenomenon and negligence will always occur.

  41. This is a very good post. With the increasing popularity of online trading. People now have more options in different online trading sites. Most people who trade on these sites are generally suspicious of the seller’s goods but rarely consider the vulnerability of the site itself. Online retailers have too much private information in their accounts. It’s hard for people to accept having their online activities monitored, and it’s hard for people to accept having their addresses made public. A large part of the reason these irresponsible online retailers exist is that there is no clear and specific law that restricts the actions of these people. If online retailers were required by law to use the most up-to-date and secure systems, I think this would reduce the number of such incidents.

  42. Interesting post! I agree with your opinion that ,sometimes, outdated and unsecure encryption method can be more dangerous than no encrption. CafePress was careless and irresponsible in safeguarding user information which led to data leaks. Online retalier should update their security frequently to avoid this kind of issue. There should be ongoing annual audit of website’s security protocol after providing encrypted digitial certificates becuase a lot of users would consider website is safe to browse when there is a encrypted digital certificates.

  43. This is a very good post. Many times shopping websites are also a major source of information leakage. And their servers store a lot of customer data, payment information, passwords, and many people do not have the habit of using different passwords for different websites, so knowing the password of a website means that all websites can be opened.

  44. It is certainly disappointing that an online retailer cannot even guarantee security for their customers. To be hacked once is already damaging to a company’s reputation, but for it to happen twice? This is exactly why skimping out on security is not a good business move by any stretch. It reflects poorly on the company, and now it loses the trust of its users. Great post!

  45. I think your last paragraph is a very interesting point and I agree that an outdated system that make people think its safe to use compared to no system at all is very and even more dangerous as people will let their guard down thinking they’re safe compared to being aware of there being no system at all so people avoid its use.

  46. This post touches upon a very important issue! Online retailers have been growing substantially, and will only continue to grow from here. With the vast amount of customer data that these companies keep track of, it becomes increasingly important that they are well protected—an expectation customers have for these companies. I find it concerning that there are still retailers that use outdated encryption methods, and agree with the comment made about a lack of encryption being better than an outdated encryption method. To me it seems like the use of an outdated encryption method is an attempt to claim that there is a ‘shield’ protecting customer data, when in fact the shield is made out of styrofoam.

  47. This was a great post – concise as well! It should be the duty of all online retailers to make sure that their security is updated all the time. It is really unfortunate that such companies can end up losing the trust of a lot of customers for reasons such as this. In situations like this, the retailer is bound to mess up its reputation. I agree that people should never trust any website with their personal information with encrypted digital certificates that are outdated and unsecured.
    All in all, this was really informative.

  48. It’s crazy to see that an established website like CafePress uses an outdated hashing algorithm like SHA-1. You’d expect that given the amount of users and the vast amounts of sensitive data, they would take more caution when implementing security features. I have to agree with you that using no security is better than using an easily targetable hashing algorithm because in that way, users are aware that their data is at risk of being stolen. In today’s world where data is worth more than anything else, it’s scary to think that some of our data may have been stolen and is being used for malicious intent by someone else. Overall great post!

  49. Great post, I am glad to see that there are consequences for companies who don’t take the proper steps to protect their costumers data. Hopefully the $500,000 inspires CafePress to change the hash function that they use.

  50. I like how at the end you say that bad encryption is worse then no encryption. To look at it from the company PoV, it shows that they are atleast semi-confidant in their encryption. Though this also shows that they believe that this is adequate with little need to fix it.

  51. I think consumers should be more informed when shopping online. Basic knowledge of security and what encryption methods should be used are important in order to keep our personal information safe. If a retailer is using an outdated encryption method like SHA-I, people should raise awareness so that consumers stay away from their website.

  52. Thanks for bringing this to light. I am often concerned to give my credit card details along with my personal information in many websites. However, sometimes you do not have any option other than to give your personal information and hoping for the best. The algorithm they were using were wrong and unsafe and yet they did not care about clients’ data. This is very shocking to know that they could care so less. On the other hand, there are companies spending millions on IT department to strengthen their digital security. From my opinion, there should be a system where people have to get a license to make websites and licenses would get revoked if their system was not up to date with modern security.

  53. Stunning article! The idea that 23 million accounts were compromised alone makes me wonder if this company is even fully legitimate. I know that a common way for hackers to gain information regarding login credentials is to set up a new site and match emails with reused passwords so the sheer number of account compromises reminds me of an attack like that. The sheer audacity of this company to store sensitive data in a readable text alone is astounding to me, on-top of using SHA-1 encryption. Honestly, I think the fine is fully justified and they should be closely monitored if they continue staying in business.

  54. Interesting post! As we learnt in class, encryption is really important so it is very weird to see websites with so little care that they continue to use the same encryption even thought it is outdated. It is also crazy to see that even though they got hacked once before, they did not tale the appropriate steps to make sure it did not happen again. It sucks to see website care so little about their customers, especially when customers put trust within these companies to protect their information. I hope that those who still use SHA-1 will make the switch as they have a duty towards their customers.

  55. This is an interesting post. Encrypted websites make us mistakenly think that they must be safe. In fact, many of their risks are unknown to us. Although online retailers allow customers to create their own products, their security is not high. The account was hacked and personal privacy was leaked, which seriously damaged the users’ information. Faced with this serious problem, the company did not implement measures to solve the problem in time, resulting in the disclosure of information many times. The company should be fined, but it can’t make up for the interests of users whose information is stolen. Companies should upgrade their website security system as soon as possible to protect their users’ data.

  56. As someone who shops online frequently, this post makes me more cautious about what kind of information I give out for online transactions – thank you!
    It is irresponsible of CafePress to not properly protect its customers information online, and it’s relieving to know that they are held accountable for a fine. Hopefully, the cybersecurity of online businesses are frequently audited and insufficient protections are held responsible with consequences before innocent customers have their information leaked.

  57. Interesting topic! It’s very terrible that these firms can be so careless with consumer information. While it’s fantastic that the firm was penalized, it’s just a slap on the wrist for the company, while the impacted users’ life might be damaged as a result of the quantity of information disclosed.

  58. Nice post! Reading articles like these makes me refrain from shopping online. It is disappointing to see companies undermine the importance of security and use poor encryption. Unfortunately, trusting users suffer the consequences. I feel like a $500,000 fine won’t make up for the loss of 23 million customer records, but hopefully, CafePress learned its lesson.

  59. Nice post! This is pretty crazy, I mean what kind of retail store needs social security numbers to make purchases, and why are they storing that information. It kind of sucks that weak encryption was the reason they got hacked, because it seems like they were just being lazy and staying with SHA-1 instead of updating to a more modern hash function. The store should be doing all they can to fix their system and management, as well as compensate their customers. Thanks for the post!

  60. The security practices of private companies are poorly regulated, and since penalties typically amount to no more than a slap on the wrist companies are not incentivized to change. CafePress storing customer data in plaintext format is one of the most basic security mistakes that a tech company can make. As an online retailer which subsists on business through web traffic, they should have invested more into ensuring their customers security. From a development perspective, security does not have to be complicated – languages, packages and frameworks exist that make implementing encryption standards relatively easy. A commitment to even basic security practices here (like not storing info in plaintext) would have been enough to protect their customers. Until more stringent laws and penalties are enforced upon tech firms that don’t do their due diligence with regards to security, consumers will have to protect themselves through other means like using a password manager. That way they can store complex passwords without reuse so that the damage from breaches like these are limited to only one account rather than multiple.

  61. I think this is extremely troubling. This is just a brewing ground for identity theft with the storing or needed of social security numbers in this way. I hope other places using similar methods will learn from this as it definitely should not be allowed. Consumers now a days a very concerned with their safety and this probably hurt them in more ways than ones.

  62. Identity theft is a problem that transferred from the offline world to the online world. In this case it’s pretty simple as the example given they didn’t really secure it properly with their hash function. It could be that many other stores have similar laxity towards security

  63. Pingback: sell weapons
  64. Pingback: pilsakmens
  65. Pingback: dark168
  66. Pingback: 3+3토토
  67. Pingback: 스포츠 분석
  68. Pingback: wing888
  69. Pingback: Find Out More
  70. Pingback: protein shakes

Leave a comment