March 15th, 2011Etsy – You Are What You Buy
You would think after the past years scandals with Facebook, blippy, and other various social media snafus that the industry would start to get wise and be more careful about what personal information of their users they release online. This is a long term problem however, for instance a couple years ago Sophos did a research study that found over 41% of the people they surveyed easily and willingly shared personal info (emails, date of birth, address and phone number) to complete strangers online. There is no indication that things are getting better at this point.
As amazing as that is to most of us reading this, what happens if your information is shared and you aren’t the one who willingly shared it?
That’s the situation today with Etsy.com. On March 9th Etsy’s admin’s excitedly put a post on their website stating that they have a new “feature” that will allow others to search for users, buyers and sellers on their site.
Sounds innocent enough? Well yes until you find out that this search function now affects your personal data, as well as cached in Google.
Learning From the Past
Etsy is a site that is similar to Ebay, but for people who like to sell unique and artsy items. It is not uncommon though on Etsy to find people buying and selling drug paraphernalia and sex toys. Now I am not sure about you, but I would be willing to guess that most of the users who are on that site buying and selling these things do not want their parents, friends, bosses and co-workers knowing this level of intimate detail about their purchasing habits.
This is not too far from the scandal with Facebook releasing all sorts of personal info all over the web. Facebook’s horrible security policies is what lead many to have their accounts compromised and where many stories where released that involved young women being blackmailed into sex acts online in order to not release pictures that were found in their accounts.
After that you would imagine that most sites that involve this kind of data would take extra precaution to ensure their users safety. Is that the case with Etsy?
Lets just imagine I am a malicious person that wants to wake up today and ruin someone elses life. So I go to Etsy and I search for “BONGS”
After some searching you find a shop that seems to sell a lot of drug supplies, pipe’s and similar items.
Now next all I do is click on the users name where amazingly I am confronted with all of his information:
• Paradise, United States
• Born on November 14
• Joined January 09, 2011
Oh don’t for a second think it stops there. It gets much worse.
Taking his full name and punching it into Google pulls up a list of links in the Etsy site one of which is called his “Circle”. Going to that shows us the circle of friends he has, which seem to also sell drug using supplies, pipes and other such items.
Back on his sales page you also can click the link that is labeled: “See who favorites this shop”
This opens up a page that shows you every user who has bought or said something nice about this seller.
Clicking on any one of them leads you down the same path:
Taking just her name and nick name to Google:
Websites, blogs, Twitter, Linkedin, Facebook- OH MY!
And it is not too hard to ensure if these are the right one as we have her DOB and full name and even the city she lives in.
Obviously Etsy’s great idea to make life easier for their users just makes it easier to compromise their users. Now there is a feature in the user setting where they can make their info private, but not many Etsy users know about it since it is not broadcasted. Plus, all users were opted-in to having their information shared to the world by default. A very dangerous setting.
If you have an Etsy account, even if you created it to just log in once to buy a single product, you will want to log in and change your settings. This is another example of how the online social media world and the lack of true security policies are allowing companies to open people up for compromise. This is a trend that will continue to happen for some time until as a culture we start to appreciate the value that is associated with personal data. So please be careful with what data you share where, as just because it is private today does not mean it will be tomorrow.