In brief: The data breach tracking website said 23,205,290 accounts were compromised, revealing personal information including unique e-mail addresses and in some cases, names, physical addresses and phone numbers.

CafePress, the online merch shop that sells stock and user-customized t-shirts, mugs, stationary and more, suffered a data breach in February that exposed personal information on 23 million users according to Have I Been Pwned.

Troy Hunt from Have I Been Pwned said the data was provided to him by a source who requested it be attributed to JimScott.Sec@protonmail.com.

Jim Scott, the aforementioned cybersecurity researcher, told Forbes that roughly half of the accounts compromised also had their passwords exposed in base64 SHA1, “a very weak encryption method to use especially in 2019 when better alternatives are available,” he added.

As of writing, CafePress has not publicly commented on the matter. Some users have reported that they have been prompted to reset their password when attempting to log into their CafePress account. It’s entirely possible that CafePress was not even aware of the breach until today.

A service similar to Have I Been Pwned called We Leak Info reportedly added the CafePress breach to its database in mid-July but it went largely unreported.

Masthead credit: CafePress homepage by Casimiro PT