We've asked CafePress if it can comment, although there don't appear haven't been any notification emails or formal disclosures mentioning a breach. About 77 percent of the email addresses in the breach have shown up in previous HIBP breach alerts.

Provided the reports of a breach are accurate, they raise a number of questions. How recently did CafePress learn of the breach? Has it done anything else to improve security? And why would it only acknowledge a breach through a password reset that doesn't even mention the security incident? There has been pressure for clearer data breach disclosures, and this could be a textbook example of why. Many users might not even know that there was a breach, let alone how it affects their personal info.