When the usernames and passwords of a big, popular site like eBay are compromised, consequences can spread beyond the original site that was attacked. It’s possible that users of selling platforms Etsy and eBay use the same usernames and passwords on both sites, since security staff at Etsy say that they’ve noticed an uptick in spam and account hijackings since the recent eBay breach.
As far as the company knows, the main problem with hijacked accounts has been spammy messages sent to random users through Etsy’s internal messaging or “conversation” system. I received a series of these and flagged them as suspect immediately: on a site for handmade items, craft supplies, and vintage items, usually people don’t send ten links to the same weight loss supplement within a few minutes. Usually.
“We recognize that some Etsy members use the same usernames and passwords across multiple sites, and that they may have been victims of the recent attacks aimed at other websites,” Etsy explains in a blog post. “We currently believe that the uptick in convo spam that we are seeing is a direct result of usernames and passwords stolen in other attacks being used to sign in to some Etsy members’ accounts.”
Etsy’s advice to users is pretty much the same as every other site’s advice to us, before a breach or after one. Change your other passwords after a site that you use is breached. Use two-factor authentication when it’s available. Use complex passwords. Don’t use the same password on every site. Don’t click directly on links in messages from people you don’t recognize.
Security Update: Protecting Your Etsy Account [Etsy] (via eCommerceBytes)