Michael Rembetsy is Vice President of Technical Operations at Etsy, where he oversees security, datacenter, and site operations, and corporate IT.
As you may have heard, a serious OpenSSL vulnerability, known as Heartbleed, was made public yesterday. SSL is an encryption technology that protects the privacy of information transmitted over the Internet. This vulnerability represented a risk to a great number of Internet sites, but we quickly fixed the issues identified as affecting Etsy.com.
Etsy’s team of security and operation engineers have the important job of keeping you and your information safe when you visit Etsy. We work behind the scenes to prevent vulnerabilities, and to fix, or “patch”, known bugs and issues when they arise.
The team became aware of Heartbleed yesterday when the information was publicly released. Beginning late yesterday afternoon, we quickly began to determine the exposure of both our own systems, and those of our partners.
As of right now, we have no indication that an attack has been conducted against Etsy beyond testing the vulnerability, but this type of issue makes it very difficult to detect, so we’re proceeding with a high degree of caution.
What are we doing about this?
Yesterday evening (April 7, 2014), we patched the small part of our infrastructure that we had identified as being vulnerable. We also worked with our third party partners to ensure that their systems which we rely on were also protected. While we’re not currently aware of any other ongoing site issues connected to Heartbleed, we continue to undergo additional checks to ensure the security of Etsy, as well as those of the partner services that we use.
What can you do about this?
While at this time we have no indication that an attack against Etsy has occurred beyond proactive security tests, members who want to take extra precautions can take the following steps:
Start a new session with Etsy by signing out of your account and logging back in. (Read this help article)
Change your password to a new, secure password. (Read this help article)
Enable two-factor authentication, which adds an extra measure of security in addition to your password. (Read this help article)
Our members entrust us with the responsibility to protect them on Etsy. In turn, we take any reported vulnerabilities very seriously, and work hard to ensure that the site lives up to our high standards of security — and yours. This is an ongoing commitment, and if any other known issues arise with Heartbleed or other vulnerabilities, we’ll continue to share the information you need to stay safe.