Skip to main content

Poshmark reveals data breach

(Image credit: RawPixel / Pexels)

Online clothing marketplace Poshmark has revealed that it has suffered a data breach.

The site, which allows users in North America to buy and sell new or used clothes, shoes and accessories, has said that an unauthorized party was able to gain access to its servers and steal information on users including their usernames, hashed passwords, first and last names, gender and city of residence.

Users who connected their social media accounts to Poshmark also had their clothing size preferences, user emails and social media profile information stolen by the attackers.

While user's hashed passwords were stolen in the breach, Poshmark uses a one-way hashing algorithm to scramble its passwords and the company also salted or randomly scrambled some passwords on a per-user basis which makes it almost impossible for the stolen passwords to be used to access an account.

Poshmark data breach

Those behind the data breach also managed to obtain some internal Poshmark account preferences which are used by the company to send email, browser and push notifications on mobile.

The online marketplace did not reveal when the breach occurred or when it first found out about it. However, Poshmark did say that no financial data or physical addresses were taken by hackers.

In a security notice, the company explained its course of action following the breach, saying:

“We conducted an internal investigation and retained outside experts, including a  leading security forensics firm. The security forensics firm we retained ran extensive testing designed to find vulnerabilities in our software and systems. After the testing, the firm reported that it did not find any material vulnerabilities. While our security was already strong, we have implemented enhanced security measures across all systems to help prevent this type of incident from happening in the future.”

Poshmark is now notifying all impacted customers via email on a rolling basis and luckily none of its Canadian users were affected by the breach.

Via ZDNet