Cyber Incident Victim: Poshmark
Date:
Aug 2019
Location:
United States of America
Summary
A hacker breached the servers of Poshmark, a clothing marketplace, stealing customer details including usernames, emails, hashed and salted passwords, first and last names, gender, city of residence, clothing size preferences, and social media profile information linked to accounts. The compromised data also included internal account preferences used for notifications, though financial data and physical addresses were unaffected. The company engaged a security vendor post-discovery, with audits revealing no material vulnerabilities exploited in the incident. Notification to impacted users occurred gradually via email batches, limited exclusively to U.S. customers despite the platform's broader user base exceeding 50 million registered accounts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In August 2019, Poshmark, an online clothing marketplace with over 50 million registered users, disclosed a security breach involving unauthorized access to its servers. The attacker exfiltrated customer data including usernames, email addresses, first and last names, gender details, city of residence, and clothing size preferences. Additionally, social media profile information linked to user accounts was compromised. The company confirmed that stolen passwords were protected using a one-way hashing algorithm with per-user salting, a security measure designed to render credential misuse impractical. Internal account preferences related to email and push notification settings were also accessed but deemed less critical. Poshmark explicitly stated that financial information and physical addresses remained unaffected. The organization did not disclose the timeframe of the breach occurrence or its discovery timeline, creating uncertainty about the duration of unauthorized access.
Following the breach discovery, Poshmark engaged a third-party security vendor to conduct a forensic audit, which reportedly identified no material vulnerabilities exploitable by the attacker. The company initiated a phased notification process, informing impacted customers via email in controlled batches to manage response logistics. Only United States-based users were confirmed as affected, with Canadian accounts remaining uncompromised. Poshmark refrained from specifying the exact number of victims despite its publicly known user base size. No evidence suggested operational disruption to marketplace services during or after the incident. The breach investigation concluded without public disclosure of attacker attribution or explicit technical compromise methodology.