Poshmark Breach

In today’s breach news, Poshmark disclosed “data from some Poshmark users was acquired by an unauthorized third party.” Poshmark is a social commerce marketplace where people in the United States can buy and sell new or used clothing, shoes, and accessories.

It’s unclear exactly

According the the official disclosure release on Poshmark’s website (see https://blog.poshmark.com/2019/08/01/important-security-notice-from-poshmark/)

The data acquired does not include any financial or physical address information, and we do not believe your password was compromised. Regardless, we recommend that you change your password as a precaution and security best practice.

While it is unclear how many of Poshmark’s 50 million users were compromised, the type of data involved includes:

  • Certain user profile information specified for public use such as username, first and last name, gender, and city
  • Certain internal account information such as email address, user ID, size preferences, and one-way encrypted passwords salted uniquely per user, as well as social media profile information collected when users connect social media accounts to Poshmark
  • Certain internal Poshmark preferences for email and push notifications

Note that the passwords were encrypted, meaning the actual passwords weren’t exposed and it’s unlikely that the bcrypt hashing algorithm can be broken for all the records — but whoever grabbed the data could, in theory, work on cracking those passwords for as long as they want. Good idea to change your password if you’re a Poshmark users.

More news on the topic can be found here:

Techcrunch: Clothing marketplace Poshmark confirms data breach

Engadget.com: Clothing resale site Poshmark suffers data breach