“Human error” exposed sellers’ names on Etsy.com

Due to an “internal human coding error,” online marketplace Etsy.com exposed over 1,900 sellers’ real names on their website on September 20 instead of their shops’ names.

In a post on its website, Chad Dickerson explained:

We had an issue in Treasury earlier today where the “full name” field that we gather at seller registration replaced the shop name in pages that display individual Treasury lists. Other pages were not affected, including the index of Treasury lists. This problem was due to an internal human coding error. This “full name” data is gathered on a page that you only see when you register as a seller: http://www.etsy.com/register_seller1.php This name is only used by an internal customer service tool and is not related to credit card, billing, or any other information on the site.

According to the time line provided, the problem was detected within 15 minutes, and the site was displaying properly again 38 minutes after the problem occurred.

In a subsequent blog entry, Dickerson reported:

This issue affected at maximum about 2% of total Etsy sellers. This figure includes all sellers featured in the Treasuries that were viewed today.

The total individual Treasuries viewed while the bug was out was 1912. Of those:

* 1628 were viewed 5 or fewer times
* 1372 were viewed 2 or fewer times
* 1064 were viewed only once

Now I realize that most of the organizations that use my sites to find breaches to include in their databases will probably not include this breach because it “only” exposed sellers’ names. But I think it serves as a useful reminder that even unintended exposure of “just” a name can be very problematic for some people. The thousands of comments on Etsy.com’s forums about the incident remind us all that identifying or accidentally “outing” people can have potentially serious consequences for some.

About the author: Dissent