Etsy said it did not mean to imply in its announcement to users last week that the recent eBay security breach was the major contributor to a rise in account hijackings on its own marketplace, telling EcommerceBytes on Monday it was a combination of high-profile and low-profile security breaches that led to the hijackings on Etsy. “We are not naming names – there are no names to name,” a spokesperson said.
Etsy had issued a warning to members on June 3rd, stating, “If you have been following the news recently, you may have seen that a number of high-profile websites have suffered security incidents. These attacks unfortunately resulted in a large number of usernames and passwords from those sites being compromised. Whenever this happens, it can put accounts on other websites that have not been attacked at risk, especially if the same login information has been used across multiple websites.”
eBay had announced a massive security breach in mid-May and sent emails to users asking them to change their password as a precaution.
In response to the article about the Etsy hijacking being due to “a direct result of usernames and passwords stolen in other attacks,” eBay reached out to EcommerceBytes and said it encrypts its passwords. “We see no evidence at all of fraud activity and there are normal levels of buying and selling on our site,” an eBay spokesperson told us.
Etsy spokesperson Sara Cohen reached out to EcommerceBytes about eBay’s reaction to its announcement, stating, “I saw that you have been writing about our security update. We take issue with the fact that you’ve connected it directly to eBay’s breach (as, apparently, has eBay) – we’re not blaming any one company. As I’m sure you know, there have been several prominent retailers and other high profile websites that have suffered security breaches in recent months. It’s more likely that higher activity on our site is a result of a combination of lists from many attacks, used in conjunction with commonly known weak passwords, not just one breach.”
Cohen said Etsy has 40 million members – “it’s very likely some are using weak or generic passwords.” And, she said, there have been many low profile cases of security breaches as well. Neither of those facts were mentioned in Etsy’s original announcement.
“We chose not to go into every specific detail about how this happened. Our goal is to make members safe and give them information (such as the advice in the announcement about enabling two-factor authentication) – not to go into every single detail of what the security team details.” She said some of that was beyond the scope of what members needed to know.
Cohen said Etsy encrypts user passwords, and said the marketplace uses a “hash and salt” method.