// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRC-newsDTG 0600Z
Breach Record

Etsy

DISCLOSED 2025-05-28 · MISCONFIG · 1,600,000 RECORDS EXPOSED

An unprotected cloud instance leaked approximately 1.6 million customer email addresses, primarily from Etsy and TikTok Shop. The exposed data was discovered by researchers and is believed to mostly affect users in the United States. The incident resulted from a misconfiguration rather than a targeted cyberattack.

The record

What we know

Disclosed
2025-05-28
Attack vector
Misconfig
Sector
e-commerce
Country
US
Records exposed
1,600,000
Domain
etsy.com
Data classes exposed
email addresses
ColdRecon assessment

Could a positive-security control have prevented this?

Verdict · unclear · opinion

The leak stemmed from an unprotected cloud instance, not an endpoint compromise. A positive-security model might have prevented exposure if applied to the cloud configuration, but details are insufficient to assess.

Our assessments are opinion, grounded in the cited public facts. Read them critically.

Sources

Cited reporting

Similar vector · recent

Other misconfig breaches on file

This page is the permanent ColdRecon entry for the Etsy disclosure. It updates if new public reporting emerges. All tracked breaches →

Etsy just lived through this. Your next prospect doesn't have to.

ColdRecon turns every disclosed breach into a daily intelligence brief from the seller's seat — normalized to the factors that move a deal, written in the Handler's voice. Request clearance and the first lands tomorrow at 0600.

Request Clearance →