CafePress, the custom merchandise and print-on-demand marketplace, suffered a data breach in February 2019 when attackers exploited security misconfigurations to access its user database. The stolen cache contained records for approximately 23.6 million accounts. The company was alerted to the breach by a security researcher in March 2019 and separately warned by a foreign government in April 2019 that customer data was already circulating on dark web markets. CafePress quietly forced password resets but offered no explanation, and did not notify customers until September 2019, one month after media outlets broke the story publicly. The exposed data included email addresses, full names, home addresses, phone numbers, and passwords hashed with outdated, unsalted SHA-1 encoding, a method considered insecure and easily reversed. The breach also exposed millions of unencrypted security question answers, tens of thousands of partial payment card numbers, and more than 180,000 Social Security numbers stored in plaintext. For affected individuals, this combination creates serious risk of credential stuffing, identity theft, and targeted phishing. Because CafePress is a print-on-demand platform, custom product and storefront data may also expose personal affiliations that users would not expect to be part of a merchandise site's breach. The Federal Trade Commission filed a complaint against both the former owner, Residual Pumpkin Entity LLC, and current owner PlanetArt in 2022, citing weak security practices, plaintext storage of sensitive data, and misrepresentation of the company's data security. The settlement required Residual Pumpkin to pay $500,000 in redress, with refunds distributed to individuals whose Social Security numbers were exposed beginning in September 2024. Both companies were also required to implement comprehensive security programs including multi-factor authentication. People affected by this breach remain at elevated risk for identity fraud and should monitor their credit and any accounts where they reused the same password.

Print-on-demand marketplaces collect buyer and seller identity, addresses, payment-adjacent data, order history, storefront activity, and custom-product records across creator commerce workflows.

CafePress continues to operate under PlanetArt's ownership following a corporate restructure. The platform operates in a crowded custom merchandise market alongside competitors including Redbubble and Printful. The FTC enforcement action and required security improvements represent the most significant organizational consequence of the breach period.