More than 1000 Trade Me accounts swapped, briefly exposing personal information

Wednesday, 17 February 2021

Trade Me exposed personal information of 1400 users last week after an error briefly swapped people’s accounts.

On Friday last week, Trade Me notified its users that they were briefly logged into the wrong account at about 4pm on February 10.

“This incident also meant you may have been accidentally logged into another member’s account for a short time. You were probably unaware of this as you were able to use Trade Me as normal,” Trade Me said in an email.

Trade Me trust and safety head Lisa Kerr said personal information such as names, emails, account balances and addresses could be seen for a short time, but no credit card details or member passwords were shared.

**READ MORE:

* Privacy Commissioner announces inquiry into Trade Me privacy changes

* Spark spots 21,000 customer logons in sweep of dark web

* Mercury 'extremely sorry' for privacy breach of shareholder information

**

The mistake was the result of a website update and the issue was resolved within an hour, Kerr said.

In an email received by one Trade Me user, the company said it was “contacting members who viewed someone else’s membership and instructing them to permanently delete any information of yours they may have”.

“No changes were made to your account, and they didn’t use your account for anything (for example buying/selling).”

Kerr said Trade Me had notified the Office of the Privacy Commissioner about the incident.

A commission spokeswoman confirmed it had been “promptly” notified of this privacy breach.

Under Privacy Act, organisations and businesses must inform the Privacy Commissioner and affected people about privacy breaches that either have caused or have the potential to cause serious harm, as soon as possible.

Kerr said the website had put steps in place to ensure this privacy breach would not happen again.