Add passwords to list of stuff CafePress made hash of storing, says infoseccer. 11m+ who used Facebook 'n' pals to sign in were lucky

Passwords were among the 23 million customer records siphoned from CafePress by hackers – and the site was using the less secure SHA-1 hashing algorithm to store half of its users' credentials.

As El Reg and the rest of the security-focused media reported yesterday, CafePress had around 23 million customer records exfiltrated from its systems back in February.

That data theft came to light yesterday after Troy Hunt, operator of the Have I Been Pwned hack-tracking website, learned that the hack had taken place and that millions of peoples' credentials were circulating on hacker forums.

Infosec researcher Jim Scott told The Register that he found the swiped info after rumours of it reached Troy Hunt's ears in mid-July. The stolen data included email addresses, names, phone numbers, and physical addresses – and, as it now turns out, passwords, too.

Scott told The Register: "Out of the 23 million compromised users, roughly half of them had their passwords exposed encoded in base64 SHA-1, which is a very weak [one-way] encryption method to use, especially in 2019 when better alternatives are available."

Hunt, meanwhile, mused that he'd seen both "a heap of identical base64 encoded 'passwords'" and then "some SHA-1 versions stored in hex then base64 encoded", leading one infoseccer to speculate that a planned migration had been taking place, although CafePress has not commented on this, nor on the database heist at all.

As for people affected by CafePress, Scott offered some comfort to those who logged in via third-party providers.

"The remaining users who used CafePress through third-party applications, such as FaceBook or Amazon, had no compromised passwords," he said, adding: "It is very disappointing and frustrating to see when companies are unable to protect their users' information when the necessary approach for better protection is available. And when an incident like this occurs, it is often the user who has to pay the price for other people's mistakes."

He encouraged people to use multi-factor authentication, to which El Reg adds the standard advice to also use a password manager. If nothing else, it makes identifying and changing your passwords after a cyber-break-in just that little bit easier – but good ones will also allow the generation of unique and, hopefully, hard-to-guess login credentials. ®