Millions of Poshmark users woke up to a data breach, and an alarming notification within their Poshmark App “Important Security Notice from Poshmark” I personally went into a panic and thought “OMG, my funds!” I’m sure I wasn’t the only person freaking out. This is the first big data breach for Poshmark. Read Poshmarks official notification below as well as tips on keeping your account safe.
Today, August 1st, 2019 Poshmark announced that there has been a data breach within the Poshmark system. Here is Poshmarks full briefing on #PoshmarkHacked :
“Poshmark Security Notice
Poshmark Security Notice FAQ
We recently discovered that data from some Poshmark users was acquired by an unauthorized third party.
The data acquired does not include any financial or physical address information, and we do not believe your password was compromised. Regardless, we recommend that Poshmark users change their passwords as a precaution and security best practice.
What information was affected by this issue?
The type of data involved includes:
- Certain user profile information specified for public use such as username, first and last name, gender, and city
- Certain internal account information such as email address, user ID, size preferences, one-way encrypted passwords salted uniquely per user (making it nearly impossible to use these passwords to access an account), as well as social media profile information collected when users connect social media accounts to Poshmark
- Certain internal Poshmark preferences for email and push notifications
What did Poshmark do when it discovered the issue?
We take the trust you have placed in us extremely seriously, and immediately upon learning of this incident, we expanded our security measures even further. We conducted an internal investigation and retained outside experts, including a leading security forensics firm. The security forensics firm we retained ran extensive testing designed to find vulnerabilities in our software and systems. After the testing, the firm reported that it did not find any material vulnerabilities. While our security was already strong, we have implemented enhanced security measures across all systems to help prevent this type of incident from happening in the future.
Are community members being notified?
Yes, we are in the process of notifying our U.S. users by email and have posted the information on our blog and in the app. Users will receive email notifications on a rolling basis as quickly as possible.
Did this affect users in Canada?
No, based on all of the information we have to date, we believe this incident was limited to U.S. users only.
What should I do to help protect my information?
First and foremost, we want to assure you that the Poshmark Data Breach does not include any financial or physical address information.
We do not believe user passwords were compromised during this incident because we use one-way encrypted passwords salted uniquely per user, making it nearly impossible to use these passwords to access an account.
Regardless, as a general best practice, we recommend that our users:
- Do not share personal login information with others
- Be aware that Poshmark would not ask for personal information such as your login information or password in email communications. If an email you received asks you for this information, the email was not sent by Poshmark and may be an attempt to steal your personal data.
- Use “strong” passwords for all accounts/websites
- Do not use the same password for multiple sites
What security measures does Poshmark take to protect my information?
We remain committed to providing a safe, secure shopping experience for our community. We protect our community by following industry-wide security best practices, including features such as:
- Two-factor authentication: Whenever you change your password, email, or redemption details, Poshmark will text or email you a verification code to confirm that you are the one requesting this change, making it extremely difficult for unauthorized individuals to use your account to purchase items or withdraw funds.
- Extensive security reviews: Poshmark monitors and tests for potential security vulnerabilities using both internal tools as well as third-party services.
- Strong one-way encrypted passwords: Poshmark uses one-way encrypted passwords salted uniquely per user, making it nearly impossible to use these passwords to access an account.
I still have more questions, what can I do?
Your trust is extremely important to us and our support team is here to answer any additional questions. Please contact firstname.lastname@example.org for further assistance. -Poshmark”
Ok, so what does all of this mean?
This means that your most important info such as your bank account, payment methods were not collected, they ARE SAFE. The information which WAS compromised were demographic & personal info such as:
Social media info
Password verification codes
This basically sounds like your Poshmark profile minus your financial info.
The best way to make sure your account is safe is to contact Poshmark support via email at Support@Poshmark.com and ask for a NEW verification code (UPDATE BELOW). Double-check that your Poshmark app is up to date, so your account will have the Poshmark two-factor verification login feature. Are you wondering if your account was personally hacked? There is no definite way to know without Poshmark telling you (which I’m not sure they would do) but you can ask Poshmark to send you the list of IP address associated with your account. Each device you use to log in to Poshmark has a unique IP address which can be linked back to a device and location. With that information, you may be able to tell if anyone without your permission has been accessing your account. Requesting the IP address logs may not always tell you if someone has your account info.
Today I updated my address before my purchase and I was asked to upload a government ID or Passport as proof of account ownership, This is GOOD. Poshmark is taking extra steps to secure and protect your account. Even though there was a Poshmark data breach, no financial information was lifted. So kudos to the Poshmark team for keeping our monies locked down! We 100% support Poshmark and their amazing security team.
Poshmark has replied to our blog post. Read their reply below regarding verification codes:
Hopefully this is the only Poshmark data breach!
What are your thoughts on #PoshmarkHacked ?