Hardly a week goes by that we don’t see another major data breach making the headlines.

The latest company to fall victim to hackers is CafePress.

They are well-known on the internet for offering a platform where users can create their own customized coffee mugs, tee shirts and the like.

The company didn’t make a formal announcement about the breach, and users only became aware of it when they started getting notifications from Troy Hunt’s “Have I Been Pwned” service. Once word started leaking out, Hunt joined forces with security researcher Jim Scott, who had worked with Hunt in the past tracking down other data breaches.

Working together, they discovered a de-hashed CafePress database containing nearly half a million accounts was being sold on black hat forums.  The researchers could not confirm, however, if these records were related to the most recent breach, or some previous one.

In any case, as they probed more deeply, they discovered that the company was actually hacked back in February of this year (2019), and that it was a significant breach. That breach exposed more than 23 million user records.  Based on their findings, the hack exposed email addresses, names, passwords, phone numbers and physical locations.

To date, CafePress has not made a formal announcement about the matter, nor acknowledged the breach in any way. Although if you are a CafePress user, you will be forced to reset your password the next time you log on.

While that’s a good step, it’s completely at odds with the company’s clumsy handling of the issue.  Password resets are not breach disclosures and notifications, and shouldn’t be treated as such.  File this away as an example of how not to handle a breach if your company is hacked.