We had an issue in Treasury earlier today where the "full name" field that we gather at seller registration replaced the shop name in pages that display individual Treasury lists. Other pages were not affected, including the index of Treasury lists. This problem was due to an internal human coding error. This "full name" data is gathered on a page that you only see when you register as a seller: http://www.etsy.com/register_seller1.php This name is only used by an internal customer service tool and is not related to credit card, billing, or any other information on the site.
Immediately after the incident, we provided information in this thread: http://www.etsy.com/forums_thread.php?thread_id=6632492
This announcement has all of the most up-to-date information and we will be adding further updates here. Some of the information might change as we review the incident.
The official timeline is as follows (all times EST). This timeline is revised from my earlier post as we were still gathering information when I posted:
12:07 – bug released12:22 – error detected12:36 – fix for bug completed, tests ran for 6 minutes12:41 – fixed code goes to QA environment12:45 – fixed code live on site
A number of members in the forum asked why we did not shut down the Treasury immediately. This is a reasonable expectation and I'm reviewing what steps we can take in the future to make our response as near to immediate as humanly possible. It was not good enough in this case.
We will be contacting all members who may have been affected and are taking steps to make sure that any Treasuries indexed during that time do not appear in the Google cache.
We are taking this issue very seriously and offer our deepest apologies for this incident. I'll add more updates here as we have them.
* * * * *
I wanted to let everyone know that we pulled requests in our logs by the Google search indexer that appeared during the bug. We submitted the URLs that were requested to Google during that time so they would not be added to the Google search cache. That should take care of any affected Treasuries appearing in the Google cache.
More updates to come – thanks for your patience.
* * * * *
I wanted to give everyone more details about the extent of the issue we had earlier today. This issue affected at maximum about 2% of total Etsy sellers. This figure includes all sellers featured in the Treasuries that were viewed today.
The total individual Treasuries viewed while the bug was out was 1912. Of those:
* 1628 were viewed 5 or fewer times* 1372 were viewed 2 or fewer times* 1064 were viewed only once
We're continuing to work on this and limit the impact of the issue. Thanks once again for your patience.
* * * * *
And because it's worth saying again:
We're very sorry that this happened. We've devoted our day — and will continue to devote days — to making sure this won't happen again.
* * * * *
We just finished sending emails to everyone who may have been affected by the Treasury issue we had yesterday. Now that everyone who may have been affected has been notified, we wanted to answer some of the common questions that have been coming up. If you did not receive an email, we've determined that your name could not have been exposed during the time we had the problem.
* How many people saw this happen?
Of the 1.3 million unique visitors to Etsy yesterday, about 1,200 of them viewed the Treasury during the 35 minutes before the glitch was fixed. Speaking in percentages, this means that 0.09% of the people who came to Etsy yesterday saw this happen. While that number is little consolation to those who were affected, we wanted to be as specific as we could possibly be about the scope of the problem.
* Was any other personal information shared?
No other personal information was exposed. This issue was contained within the Treasury and did not appear elsewhere on Etsy (including the front page).
* Where did Etsy find my real name?
The full name displayed was the one you put on file when you first opened up your shop. This name is otherwise not displayed anywhere else on the site.
* How did this happen?
The glitch was caused by an internal programming mistake, not a security breach.
* What are we doing to make sure this won't happen again?
We've begun what will be an ongoing process. So far, we have:
– Added further safeguards in our code- Reviewed and improved our response and escalation policy- Enhanced our coding, reviewing, and releasing processes- Invested in our security and privacy team
* Do search engines have the exposed information?
We contacted the search teams at Google, Microsoft, and Yahoo to purge any pages in the Treasury that may have been indexed while the bug was live and those pages are not currently in those search indexes.
* How does Etsy store credit card numbers?
While not related to yesterdays incident, a number of people have asked this. The answer is that Etsy does not store credit card numbers. The information is sent to and stored securely with our payment processor.
Thanks again for your patience as we've gathered all of theinformation related to this incident. Again, we want to offer you our deepest apologies for this incident. We take our responsibilities seriously and thank you so much for being a part of Etsy.