StockX isn't the only company that appears to have warned users about a data breach through password resets. T-shirt seller CafePress has been asking customers to choose new passwords as part of an updated "password policy," but the news came soon after reports that the site had been the victim of a data breach in February. Have I Been Pwned claimed that over 23.2 million accounts had been exposed, including email addresses, names, physical addresses and phone numbers.
We've asked CafePress if it can comment, although there don't appear haven't been any notification emails or formal disclosures mentioning a breach. About 77 percent of the email addresses in the breach have shown up in previous HIBP breach alerts.
Provided the reports of a breach are accurate, they raise a number of questions. How recently did CafePress learn of the breach? Has it done anything else to improve security? And why would it only acknowledge a breach through a password reset that doesn't even mention the security incident? There has been pressure for clearer data breach disclosures, and this could be a textbook example of why. Many users might not even know that there was a breach, let alone how it affects their personal info.