BleepingComputer reports that the Federal Trade Commission is moving to impose a $500,000 fine on online customized shirt and merchandise vendor CafePress for a 2019 data breach stemming from its negligence to protect customer data. Unknown threat actors had attacked CafePress' servers in February 2019, compromising data belonging to more than 23 million users, including millions of email addresses and weakly encrypted passwords, as well as unencrypted names, addresses, security questions, and Social Security numbers. The FTC alleged that the incident was caused by former CafePress owner, Residual Pumpkin Entity, keeping customers' password reset answers and SSNs in plain text, while not adhering to the required period for storing such data. "As a result of its shoddy security practices, CafePress' network was breached multiple times," said the FTC, which added that both Residual Pumpkin and PlanetArt, which now owns CafePress, should adopt multi-factor authentication and SSN encryption, while curbing data gathered and retained in their servers.