Tag Archives: lame

Data Breach – CafePress

Just the Facts

Timeline:

20 February 2019 – CafePress is hacked and over 23 million account are compromised.

13 July 2019 – According to this Forbes article, We Leak Info adds the CafePress breach to their database.

5 August 2019 – The author of the Forbes article receives an email from have i been pwned about the CafePress breach.

20 September 2019 – I receive an email from CafePress about the “Data Security Incident”.

My Take

It’s been 7 months since the data was stolen. If it hadn’t been found in the wild by third parties, they still might not know.

It’s been at least 2 months since they found out and they just now got around to telling their customers.

I didn’t have a CafePress account. Just to be sure, I tried to log in:

Whew!

Whew!


I’ve only purchased from them maybe twice in my life and not for years. That means the hackers only got my name, email, phone number, and physical address. That also means that CafePress kept (I hope it really is past tense) purchase and account records in an internet-facing database for a long time.

A non-apology worthy of a politician caught red-handed:

"...sincerely regret any concern it may cause you"

“…sincerely regret any concern it may cause you”


So they’re not sorry. They just regret that I may have concerns. Concerns that may keep me from giving them my money in the future? That’s like saying something awful to someone and then saying “I regret that your feelings are hurt.”

“…And other information.” I learned about physical address from haveibeenpwned.com.

Later in the email is this:

“What We Are Doing

We have been diligently investigating this incident with the assistance of outside experts. We also have contacted and are cooperating with federal law enforcement authorities. In addition, we have taken various steps to further enhance the security of our systems and your information, and the affected database has been moved to a different environment.”

Not much and pretty vague. The part where the customer has to do things is so long it refers to another section:

“What You Can Do

As described in the “Additional Resources” section below, we recommend you remain vigilant and take steps to protect against identity theft or fraud, including monitoring your accounts and free credit reports for signs of suspicious activity.

We also recommend that you visit the CafePress website at www.cafepress.com and log in to any online account you may have, which should prompt you to change your account password, if you have not done so recently.”

They go on to say:

“In general, you should always ensure that you are not using the same password across multiple accounts, and that you are using strong passwords that are not easy to guess.”

There, there [pat on the head]. That’s trivial, deflecting, and condescending. A user account didn’t cause this, CafePress’s incompetent security did. How about I take investment advice from Bernie Madoff?

One more bit and I’ll stop ranting. About this. For a while.

All of the links in the email, including the big 3 credit reporting agencies, go through CafePress’s email list provider.

I know, let's make the incident email look like spear phishing!

I know, let’s make the incident email look like spear phishing!

I mean, why wouldn’t I trust a link with

…krmpkhgftlhjtmbmjrsbzjfgrpjltskzppmktwzhsrfp_vjjjfrrrrkynfhgmmfmmrr.html

as much as I trust one that goes to

https://consumer.ftc.gov?

CNN sucks

WARNING: This post contains foul language.

This is such a fail I’m not adding the “humor” tag.

The first Democratic debate, hosted by NBC and streamed on Youtube, worked fine.
The second debate, by CNN, was unwatchable. We have a modern smart TV and it has the “CNNgo” app but it wouldn’t work, even with cable credentials. Trying to stream via cnn.com was pathetic. They tried, but the servers were not up to the task. It was useless. Other streaming services worked fine so it wasn’t our network. I found transcripts (from someone other than CNN, of course) the next day.

This time, for the climate town hall, CNN didn’t even pretend not to be greedy incompetent f__ks. They’ll probably edit or take down the page but this is what it says:

Specifically states "CNN.com's homepage" $$ Nothing about GIVE US MONEY $$

Specifically states “CNN.com’s homepage” $$ Nothing about GIVE US MONEY $$

I tried watching on an iPad. It crashed and reloaded the page repeatedly. Amazingly, the countdown timer kept working. I tried a laptop and other than buffering and showing an ad with the countdown timer running, it worked-ish. For a while. See, they only showed a 10 minute “preview” before the video stopped working and they shook us down for TV provider credentials:

Democracy in action

Democracy in action

Not that that would work, I wasted enough time on CNNgo before.

M has dish credentials. We don’t have it but she pays for her grandma so she can watch her telenovelas. Even if CNN was competent enough for that to work (they aren’t), this is our f__king democracy. Whether you’re a Democrat or not, one of these people may be our next president so it’s kind of important to know what they think about things.

Here’s the thing. Even if it worked, CNN should not be shaking down voters for money in order to provide this information. It’s a privilege that they got the debate and the town hall. It’s guaranteed viewers. Lots of viewers. Embed the ads in the stream and put it on a competent service.

This is capitalism at its worst: 1) They have a monopoly for this event. 2) They shake us down for money. 3) Even if you show, via TV provider credentials, that you gave them money, it DOESN”T F__KING WORK.

CNN: you can buy better, but you can’t pay more.