CafePress 2019 Data Breach
ObscureIQ Breach Intelligence
Low SeverityWebsite / service breach
CafePress Custom Merchandise Marketplace Breach (2019): 23 Million Customer Records Including Passwords & Home Address Exposed
Custom merchandise and print-on-demand marketplace.
Verified by ObscureIQ Intelligence
34/100Breach Risk Index
10Data Value
25Market Recency
512dSince Breach
Breach Intelligence Summary
Entity: CafePress · Actor: Unknown · Sources: 7 references
Attack: Misconfiguration
Profile: Platform · Custom merchandise and print-on-demand commerce · Print-on-demand marketplace · USA
Timeline: Breach (2019-02-20) · Indexed (Dec 01, 2024) · Year (2019)
Exposure: 23.6M records · 5 fields: Email Address, Full Name, Password, Phone Number, Physical Address
Status: Confirmed
Executive Summary
CafePress, the custom merchandise and print-on-demand marketplace, suffered a data breach in February 2019 when attackers exploited security misconfigurations to access its user database. The stolen cache contained records for approximately 23.6 million accounts. The company was alerted to the breach by a security researcher in March 2019 and separately warned by a foreign government in April 2019 that customer data was already circulating on dark web markets. CafePress quietly forced password resets but offered no explanation, and did not notify customers until September 2019, one month after media outlets broke the story publicly. The exposed data included email addresses, full names, home addresses, phone numbers, and passwords hashed with outdated, unsalted SHA-1 encoding, a method considered insecure and easily reversed. The breach also exposed millions of unencrypted security question answers, tens of thousands of partial payment card numbers, and more than 180,000 Social Security numbers stored in plaintext. For affected individuals, this combination creates serious risk of credential stuffing, identity theft, and targeted phishing. Because CafePress is a print-on-demand platform, custom product and storefront data may also expose personal affiliations that users would not expect to be part of a merchandise site's breach. The Federal Trade Commission filed a complaint against both the former owner, Residual Pumpkin Entity LLC, and current owner PlanetArt in 2022, citing weak security practices, plaintext storage of sensitive data, and misrepresentation of the company's data security. The settlement required Residual Pumpkin to pay $500,000 in redress, with refunds distributed to individuals whose Social Security numbers were exposed beginning in September 2024. Both companies were also required to implement comprehensive security programs including multi-factor authentication. People affected by this breach remain at elevated risk for identity fraud and should monitor their credit and any accounts where they reused the same password.
ObscureIQ assessment: Exposure enables phishing, seller impersonation, order fraud, and account abuse. Custom-product and storefront data may also reveal political, cultural, or personal affiliations.
Breach Impact
In February 2019 an attacker exploited multiple security vulnerabilities to access CafePress systems, stealing data for approximately 23 million accounts including email addresses, names, physical addresses, security question answers, weakly encrypted passwords, tens of thousands of partial payment card numbers, and more than 180,000 Social Security numbers stored in plaintext. The company was notified of the breach in March 2019 by a security researcher but concealed the incident for six months, requiring password resets while characterizing the change as a routine policy update. A foreign government separately warned CafePress in April 2019 that customer data was for sale on dark web markets. CafePress did not notify affected customers until September 2019 — one month after the breach was publicly reported by media outlets. The FTC filed a complaint against both the former and current owners in 2022, citing careless security practices, plaintext storage of Social Security numbers, cover-up conduct, and misrepresentation of data security practices. The settlement required Residual Pumpkin to pay $500,000 in redress to affected individuals and mandated that both companies implement comprehensive security programs including multi-factor authentication. Refunds were distributed to SSN-affected individuals beginning in September 2024.
About CafePress
CafePress is a custom merchandise and print-on-demand marketplace where independent sellers — called shopkeepers — design and sell personalized products including apparel, mugs, and accessories. The platform connects individual designers with buyers and takes a commission on sales. CafePress was acquired by Snapfish parent company PlanetArt in 2020, having previously operated under Residual Pumpkin Entity LLC.
Why They Hold Your Data
Print-on-demand marketplaces collect buyer and seller identity, addresses, payment-adjacent data, order history, storefront activity, and custom-product records across creator commerce workflows.
Recent Developments
CafePress continues to operate under PlanetArt's ownership following a corporate restructure. The platform operates in a crowded custom merchandise market alongside competitors including Redbubble and Printful. The FTC enforcement action and required security improvements represent the most significant organizational consequence of the breach period.
Data Points Exposed
5 verified field types
Email Address
Full Name High
Password Critical
Phone Number
Physical Address High
Field names are shown in full for clarity and search visibility. Canonical machine keys are emitted only in this page’s structured data.
Exploitation & Downstream Threats
Threat Activity:Critical
Primary downstream threats:
- Credential stuffing against reused passwords across other platforms
- SIM swap attacks where phone numbers are present
- Targeted phishing campaigns using exposed email addresses
- Doxxing risk from physical address exposure
Threat vectors:
- Phishing, credential stuffing & account takeover
- Name-based social engineering
- Credential stuffing & account takeover
- SIM swapping, vishing & SMS phishing
- Physical stalking, mail fraud & identity verification
- Home targeting, stalking & physical threat
Recommended Actions
If you believe your information may be included:
Change Reused Passwords
Update this account and anywhere you reused the password; use a manager.
Enable MFA Everywhere
Turn on multi-factor authentication on email first, then financial accounts.
Report & Recover
If you spot misuse, start an official recovery plan and report fraud.
Frequently Asked Questions
What happened in the CafePress breach?▾
CafePress, the custom merchandise and print-on-demand marketplace, suffered a data breach in February 2019 when attackers exploited security misconfigurations to access its user database. The stolen cache contained records for approximately 23.6 million accounts. The company was alerted to the…
What data was exposed?▾
Verified fields include Email Address, Full Name, Password, Phone Number, Physical Address.
What should I do if I was affected?▾
Change reused passwords, enable MFA, and (if identity or financial data is involved) freeze your credit and monitor your accounts.
Sources & References
Every claim on this page is traceable. This breach draws on:
Breach Index
Breach Index
Cross-source
9ghz
Cross-source
BreachForums_Official_Index
Cross-source
DataViper.io
Cross-source
leakfind
ObscureIQ Intelligence
ObscureIQ proprietary analysis
Protect Yourself
Check If You're Affected
Enter your email to check whether your data appears in this breach. We’ll send a 6-digit code to confirm it’s your address.
Get Free Breach Alerts
Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.
High-Risk? Get an Exposure Audit
Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.
Request Consultation