Poshmark, an online marketplace where North American users can buy and sell new or used clothes, shoes, and accessories, disclosed a data breach yesterday, on August 1.
The company said that an unauthorized party gained access to its servers from where it stole information such as usernames, hashed passwords, first and last names, gender information, and city of residence.
The hacker also stole clothing size preferences, user emails, and social media profile information collected when users connected social media accounts to Poshmark, the company said.
Poshmark said the passwords were scrambled using a one-way hashing algorithm, and then salted (randomly scrambled) on a per-user basis — “making it nearly impossible to use these passwords to access an account,” it said.
In addition, the hacker also got their hands on some less important information, such as some internal Poshmark account preferences, used by the company to send email and browser and mobile push notifications.
Unknown when the breach happened
Poshmark did not reveal when the breach occurred or when the company found out about it. It did, however, say that no financial data or user addresses had been taken in the recent breach.
In a blog post and a security notice posted on its website, the online marketplace said it contracted a security vendor following the discovery of the breach, and that a security audit performed by this vendor did not reveal “any material vulnerabilities” that the hacker might have exploited.
The company said it’s now slowly notifying all impacted customers via email, on a rolling basis, in small batches at a time.
Poshmark said that only US users had their data stolen, but not any of its Canadian userbase. The company previously stated that it had over 50 million registered users. It did not say how many had their details stolen in this incident.
Last year, fashion retailer SHEIN announced a similar security breach during which a hacker stole the details of 6.42 million users. That stolen data has been sold online and has recently entered the public domain after it leaked from the data traders that bought it.
More data breach coverage: