Poshmark reported a data breach on Thursday. The mobile app described which information it believes was acquired by “an unauthorized third party,” and which information it believes was not obtained.
Poshmark said it did not believe passwords were compromised, but recommended users change their passwords “as a precaution and security best practice.”
However, user information that was impacted includes “Certain user profile information specified for public use such as username, first and last name, gender, and city,” as well as certain email addresses, size preferences, and social media profile information.
As Lisa Baergen, VP of Marketing for NuData Security, a Mastercard company, pointed out, even if hackers don’t get passwords or credit card data, any information is useful for an attacker to put together a profile on the impacted people.
“The attacker can then use the profile to create new accounts online or offline under an assumed identity,” she said. “They can launch phishing or social engineering attacks with an increased success rate that enable the attacker to take over accounts.”
Poshmark announcement follows:
Important Security Notice from Poshmark
August 1, 2019
We recently discovered that data from some Poshmark users was acquired by an unauthorized third party.
The data acquired does not include any financial or physical address information, and we do not believe your password was compromised. Regardless, we recommend that you change your password as a precaution and security best practice.
The type of data involved includes:
Certain user profile information specified for public use such as username, first and last name, gender, and city
Certain internal account information such as email address, user ID, size preferences, and one-way encrypted passwords salted uniquely per user (making it nearly impossible to use these passwords to access an account), as well as social media profile information collected when users connect social media accounts to Poshmark
Certain internal Poshmark preferences for email and push notifications
We take the trust you have placed in us extremely seriously, and since learning of this incident, we’ve expanded our security measures even further. We’ve conducted an internal investigation, retained a leading security forensics firm, and have implemented enhanced security measures across all systems to help prevent this type of incident from happening in the future.
Poshmark is a platform built on love and transparency, and we’re committed to serving you, and our entire community, every step of the way. You are the core of our business, and without you, we wouldn’t be the community we are today. We sincerely regret any concern this may cause you, and we’re here to answer any questions you may have.
For more info, please see our FAQ or contact firstname.lastname@example.org.
SOURCE: Poshmark Blog Post