What Happened
In mid-2018, specifically around May, social commerce marketplace Poshmark suffered a data breach when unauthorized actors accessed its servers, exposing data from approximately 36 million user accounts. The compromised information included email addresses, names, usernames, genders, locations, notification preferences, size preferences, social media profiles, and passwords stored as bcrypt hashes, though the company initially stated passwords were secure due to one-way encryption and advised changes out of caution; subsequently, over 1 million passwords were cracked and sold online for credential stuffing attacks. Poshmark publicly disclosed the incident in early August 2018, notified affected U.S. users (not Canadian), hired a forensics firm that found no major vulnerabilities, and implemented enhanced security measures, with the breach later added to Have I Been Pwned in September 2019.
