Does Etsy Have An Account Security Problem?
UPDATE 10-20-22
CindyLouWho2 was able to help one seller who had been trying to recover their hacked account for 10 weeks by posting in the Etsy community to get the attention of Etsy support.
I started a thread in the Etsy forum, hoping to get the attention of any @Etsy employee who can expedite this issue. https://t.co/NxwZbvKhnp
— CindyLouWho2 (@CindyLouWho_2) October 20, 2022
This seller needs their shop back. It's ridiculous to let this hacking drag on over 10 weeks! #marketplace #ecommerce
5/x
Good news: that specific shop is slowly getting their issues fixed.
— CindyLouWho2 (@CindyLouWho_2) October 20, 2022
Bad news: here's another one, waiting 10 days for an @Etsy account specialist to get back to them. https://t.co/jTpok8drQH
How many don't know to post in the Etsy forum?
7/x
She's absolutely right to point out though that many sellers may not frequent the forum and/or may not be able to access it.
Why should sellers have to post to the community forums to get support? Didn't Etsy promise the fee increase earlier this year would be used to improve customer support? 🤨
Etsy sellers are concerned over recent reports of account takeover fraud on the marketplace, prompting some to question if the problem is getting worse and if Etsy is doing enough to combat it.
Maria Diment
One Vancouver Etsy shop owner says her shop was "hijacked" by hackers who scammed over 300 of her customers by selling them items that didn't even exist.
Nicole Townend wasn't aware of the hack until recently.
On Wednesday morning (Oct. 12), Townend started receiving messages from people asking for refunds and assistance with their orders. Having not listed any items on her shop since around a year ago, she took the messages for spam.
Later that day, Townend became suspicious. "Every two minutes I would get one of these messages from somebody," she tells Vancouver Is Awesome over the phone. "I looked at my shop and saw that a lot of old listings that I sold in the past had been relisted at crazy prices."
Though her Etsy shop looked the same, retaining her name and photos, the hackers had changed the email address and password used to log in. "They would have had to change my banking information as well in order to get the deposit from the shop," she adds.
She's contacted Etsy Support as well as the Vancouver Police Department (VPD) for help.
While the platform has responded with generic support emails, including instructions on changing passwords and asking for login information, the VPD told Townend that because it's a cybercrime they can't do much to help...
...Prior to being locked out, she last heard that people were being scammed out of $200 to $1,000 each, and, despite her efforts to shut down the shop with Etsy's help, the shop sale tally shows around 350 new transactions made since then.
"They have essentially shut down my business and are still using my name and photo as the face. Etsy is doing nothing," she writes.
Now, Townend is no longer associating herself with her old shop name, which sold houseplants and plant-themed clothes, due to the hackers.
You can find many similar stories in the Etsy community forums as well.
I've just been informed by an Etsy customer that someone else is using my shop name - after a little digging, I've discovered that someone is indeed impersonating me, using a former shop name that I've haven't sold under since 2011.
The shop (not the one linked to my avatar), still has my info in the announcement, including a link to my CURRENT shop, which would explain why I've been periodically getting emails from customers, asking about their orders (I had been assuming they contacted me by mistake). The only difference is they have changed the location to Singapore. All the reviews for items I DID legitimately sell are still there, with the last one dated 7/18/2011. Then the reviews start back up again on 1/3/2022, for items that are NOT mine. So, apparently this has been going on all year...I haven't noticed any questionable financial activity, but I'm concerned that if this person was able to get into and take over a closed (and I thought, deactivated) shop, it might still have my financial information linked to it.
I only see one sales channel (my current shop) right now in my shop dashboard and I honestly don't remember if the last time I logged in my former, deactivated shop was still showing on the list. Plus, I know I had at least one other shop with a different name at some point...is it just floating around somewhere in Etsy cyberspace, waiting to be hacked into as well???
Someone has hacked my old Etsy account. I closed my shop "Homemade By Slavie" a few years ago, but now it's open. They use all my personal info inside, but my listings were replaced by other types of listings. I think they stole my e-mail address and changed the password - that's how they have access to the account.
Etsy selling pro and blogger CindyLouWho2 says she's been receiving reports of hacked dormant shops being used for fraud and gives some excellent advice on how to set up 2 Factor Authentication within your Etsy account to help try to prevent account takeovers.
Etsy sellers, are there more hacked shops lately? I've received emails about wreath shops with stolen photos hacking dormant shops & ripping off customers
— CindyLouWho2 (@CindyLouWho_2) October 18, 2022
The shop with these 1-star reviews just got closed today after 19 days of reports, 1.5 stars out of 5#EtsySellerNews
1/x pic.twitter.com/wQ3Os5Hdee
What I AM sure of is that every Etsy shop owner should have 2-factor authentication set up to help prevent this.
— CindyLouWho2 (@CindyLouWho_2) October 18, 2022
If you do, make sure you generate backup codes to use in case your phone isn't available. Go here:https://t.co/P7bDXi7hLO
and click regenerate.
3/x pic.twitter.com/yzQHHXGveh
While it's hard to say exactly how the takeovers are occurring and whether or not the instances of hijacking are significantly on the rise, it's concerning to me that in multiple reports the hijacked account holder says they believed the old account had been deactivated.
When I was researching triangulation fraud that I experienced on eBay, I found many of the accounts being used for that fraud also appeared to be dormant accounts that had been hijacked.
Liz Morton ~ Founder
While email phishing schemes are likely in play here, I also have to wonder if some of the account takeovers could be being facilitated by the log in or sign up with Facebook and Google options that eBay, Etsy and many other sites offer as well.
Those additional methods are convenient, but could also open up even more opportunities for fraudsters - if they are able to gain access to your Google, Facebook, or Apple account credentials, they can use those credentials to access existing accounts or create new fraudulent ones on many sites across the internet.
Thomas Brewster
I'd love to learn more about how account takeover fraud may be occurring on different marketplaces and what the support experience is like when trying to get assistance with a hacked account.
If you sell on Etsy, eBay, Amazon, Mercari, or any other online marketplace and have had your account compromised, leave a comment below or contact me directly - requests for confidentiality are always respected.
