After Etsy implied that the criminals who had hacked eBay’s database were behind a recent increase in spam being sent through its messaging system, eBay pushed back.
In an obvious reference to the eBay security hack, Etsy issued a warning to users that spammers were logging into some member accounts, “a direct result of usernames and passwords stolen in other attacks.” Etsy surmised that the account takeovers were cases where its members had used the same user names and passwords across multiple sites.
eBay spokesperson Amanda Miller reached out to EcommerceBytes after we reported the story in Thursday’s newsletter, explaining that eBay encrypts its passwords. eBay had no evidence that criminals had ever unencrypted the passwords, something she said would be very difficult to do thanks to the way the data was stored.
“We see no evidence at all of fraud activity and there are normal levels of buying and selling on our site.”
Etsy sellers had reported an increase in spam coming from other members through its “convos” messaging system this week, such as the reports cited in this thread from Wednesday:
“For some reason my account has been spamming convos with messages I didn’t send and I’m not sure what to do or how to fix it… Even after I changed my password its still doing it. So I’m getting a lot of angry messages from people I never talked to…”
Etsy Vice President of Technical Operations Michael Rembetsy acknowledged the increase in spam and in a warning on the Etsy blog said, “If you have been following the news recently, you may have seen that a number of high-profile websites have suffered security incidents. These attacks unfortunately resulted in a large number of usernames and passwords from those sites being compromised. Whenever this happens, it can put accounts on other websites that have not been attacked at risk, especially if the same login information has been used across multiple websites.”
eBay revealed last month that a portion of its user database was accessed by criminals who had gained access to a small number of employee login credentials, and while they gained access to sensitive information such as members’ date of birth and address, member passwords had been “hashed and salted,” what eBay has been calling “encrypted,” making it very difficult for would-be hackers to decode the passwords.
Etsy’s Rembetsy said in his warning to users, “We currently believe that the uptick in convo spam that we are seeing is a direct result of usernames and passwords stolen in other attacks being used to sign in to some Etsy members’ accounts.”
We’ve reached out to Etsy for comment about Miller’s assertion regarding eBay’s passwords and there was no response before press time.