The Federal Trade Commission filed a complaint against CafePress, including its former and current owners, for failing to adequately respond to a series of breaches, the commission announced Tuesday.
At the center of the complaint is a breach against CafePress, an online retailer of custom user-designed products, that occurred in February 2019. The breach resulted in the theft of personal data from more than 20 million customer accounts, including names, addresses, phone numbers and passwords encrypted with the outdated SHA-1 protocol. In its announcement, the FTC claimed CafePress "failed to secure consumers' sensitive personal data and covered up a major breach."
Have I Been Pwned, a free service that allows users to check if their data has been exposed or stolen, reported the breach in August 2019; however, CafePress did not notify customers until September, the following month, via email. A public disclosure posted to the CafePress website has since been removed.
The respondents in the case are former owner Residual Pumpkin Entity LLC and current owner PlanetArt LLC.
PlanetArt, a company that primarily acquires personalization companies, purchased all of CafePress' assets, including the name, from Shutterfly in September 2020. Shutterfly-owned Snapfish had acquired CafePress in 2018 for approximately $25 million. Following PlanetArt's acquisition, the company formerly known as CafePress changed its name to Residual Pumpkin, according to the complaint.
The connection between Residual Pumpkin and Shutterfly is unclear. However, in a December 2020 document, the president of Residual Pumpkin was listed as Jason Sebring. A person named Jason Sebring was Shutterfly's senior vice president and general counsel at the time the document was signed.
SearchSecurity contacted Shutterfly for comment on the FTC complaint and its potential connection to Residual Pumpkin, but the company has not responded at press time.
PlanetArt did not respond to requests for comment.
Allegations against CafePress
The FTC said in its complaint that CafePress "failed to provide reasonable security for the Personal Information stored on its network."
The FTC said CafePress stored Social Security numbers, as well as security questions and answers, in plain text. In addition, CafePress allegedly stored information indefinitely in its network, failed to implement low-cost protections against "well-known and reasonably foreseeable" vulnerability exploits, and did not require complex passwords from users and vendors. The FTC also criticized CafePress' response, claiming the retailer failed to disclose incidents to relevant parties in a timely manner.
According to the timeline presented in the complaint, CafePress was notified of the breach in March 2019 by an individual claiming the information was being sold in "certain circles." CafePress addressed the vulnerability that month. In April, a foreign government notified CafePress that data had been stolen and was being sold to a large number of credit card thieves.
Soon after, CafePress required users to reset their passwords, with the reason being "only that the company had updated its password policy." The company told "individuals, law enforcement, and regulators" that this reset blocked passwords from further unauthorized use, but this was not the case.
"Until at least November 19, 2019, Residual Pumpkin continued to allow [CafePress] passwords to be reset through Residual Pumpkin's website simply by answering a security question associated with an email address -- information that was stolen in the breach -- without confirming that the individual attempting to change the password controlled that email address," the FTC complaint read. "Thus, until November 2019, anyone with access to the breached data could take over another user's account."
Other CafePress breaches
The FTC complaint also listed other breaches against CafePress. In addition to a history of shopkeeper accounts being hacked, CafePress experienced multiple malware infections in 2018 and 2019 against its servers and employees, including multiple that appeared to result from phishing attacks.
One notable example came in August 2018.
"In August 2018, Residual Pumpkin became aware that an employee had been targeted by multiple phishing attempts," the complaint read. "A scan showed the employee's computer was infected with malware, including a backdoor bot, a 'Trojan' downloader, and a password stealer. Additionally, the employee's email account had been configured for months to forward all incoming email to unknown third-party email addresses."
It continued, "In response to this security incident, Residual Pumpkin replaced the particular computer that was infected, but failed to take reasonable steps to detect, remediate, and prevent similar infections on other devices on its network."
Similar malware was found on the payroll administrator's computer in February 2019. Perhaps resulting from this, the FTC said that in "April, May, and September 2019, an identity thief or thieves used Personal Information belonging to three Residual Pumpkin employees to try to change the employees' payroll direct deposit information. Only after the third incident did Residual Pumpkin at last begin an investigation."
The FTC announcement referenced additional cover-ups, though the complaint only detailed the concealment of the February 2019 breach.
"CafePress employed careless security practices and concealed multiple breaches from consumers," said Samuel Levine, director of the FTC's Bureau of Consumer Protection. "These orders [proposed against CafePress] dial up accountability for lax security practices, requiring redress for small businesses that were harmed, and specific controls, like multi-factor authentication, to better safeguard personal information."
The proposed settlement attached to the complaint requires Residual Pumpkin to pay $500,000 to compensate data breach victims. PlanetArt, meanwhile, will be required to notify consumers whose personal information was accessed via CafePress data breaches and provide information to consumers regarding how they can protect themselves. Both companies will also have to undergo a third-party information security assessment.
Alexander Culafi is a writer, journalist and podcaster based in Boston.