What happened
According to public breach records, the Poshmark data breach on May 16, 2018 is reported to have exposed the personal information of 36,395,491 accounts.
In mid-2018, social commerce marketplace Poshmark suffered a data breach that exposed 36M user accounts. The compromised data included email addresses, names, usernames, genders, locations and passwords stored as bcrypt hashes.
Passwords in this breach were reportedly stored as bcrypt hashes.
In May 2018, social-commerce marketplace Poshmark suffered a data breach in which an unauthorized third party acquired data on roughly 36.4 million accounts; the company publicly confirmed the incident on August 1, 2019. Exposed data included email addresses, usernames, full names, genders, geographic locations, and passwords stored as bcrypt hashes (salted uniquely per user); Poshmark stated financial information and physical addresses were not affected. The data was subsequently provided to a breach-notification service, and within about a month roughly one million accounts with successfully cracked passwords began circulating online, raising credential-stuffing risk. ["Change your Poshmark password immediately, and change it anywhere you reused the same password — bcrypt hashing slowed cracking but about a million of these passwords were ultimately cracked and circulated.", "Enable two-factor authentication on your Poshmark account and any account that shared the breached password, so a recovered password alone cannot grant access.", "Be alert for targeted phishing emails referencing your name, location, or Poshmark activity, since email addresses, names, and geographic locations were exposed.", "Use a password manager to set a unique password per site, which neutralizes the credential-stuffing attacks these leaked credentials enable."]
What data was exposed
The following types of personal data were compromised:
- Email addresses
- Genders
- Geographic locations
- Names
- Passwords
- Usernames
Breach details
| Detail | Value |
|---|---|
| Breach name | Poshmark |
| Date | May 16, 2018 |
| Accounts affected | 36,395,491 |
| Domain | poshmark.com |
This summary is compiled from public breach-notification data and known leak databases. Figures reflect what those sources report and may be revised as more is learned. If something here looks wrong or you think your information is involved, contact our support team.
We report breaches as a factual record to help people check their exposure. Inclusion here is not an allegation of wrongdoing or negligence by Poshmark; it reflects a publicly reported security incident.
What to do now
Based on the data exposed in this breach, here are the steps you should take:
- Change your Poshmark password immediately, and change it anywhere you reused the same password — bcrypt slowed cracking but roughly a million of these passwords were ultimately cracked and circulated.
- Enable two-factor authentication on your Poshmark account and any account that shared the breached password, so a recovered password alone cannot grant access.
- Watch for targeted phishing emails referencing your name, location, or Poshmark activity, since email addresses, names, and geographic locations were exposed.
- Use a password manager to set a unique password per site, neutralizing the credential-stuffing attacks these leaked credentials enable.
Check your exposure
Data breaches are one of the ways your personal information ends up on data broker sites. Run a free scan to see which sites are exposing your personal data — and take action to remove it.
Sources
- Have I Been Pwned: Poshmark Data Breach
- One million cracked Poshmark accounts being sold online — Security Affairs
Find out what data brokers know about you
Run a free scan to see which sites are exposing your personal information — name, phone, address, email, and more.
Start your free scan →