A Month After Poshmark Confirmed a Data Breach, Private User Information Is Sold Online
Almost exactly one month ago, North American online clothing marketplace Poshmark announced that it had suffered a data breach. For reasons that remain unclear, the website decided not to disclose how many people got affected, but as news outlets covering the incident pointed out at the time, Poshmark has tens of millions of users, so the potential impact was pretty significant from the very start. Unfortunately, the actual size of the stolen database remained unknown. Until yesterday, that is.
Last week, a person who wants to be referred to by his email address – JimScott.Sec@protonmail.com – got his hands on the data stolen from Poshmark, and he decided to share it with cybersecurity legend Troy Hunt. Hunt processed the information and loaded it into his HaveIBeenPwned data breach alert service. Thanks to this, we now know that just over 36 million accounts have been exposed.
A lot of people are affected. But how worried should they be?
What did the hackers steal?
Right from the start, Poshmark was keen to point out that the cybercriminals didn't steal any financial data or information related to customers' physical addresses. The blog post said that in addition to taking publicly available information like names and usernames, the cybercriminals managed to make off with an internal database containing people's email and push notification settings.
So far, so unremarkable, but Poshmark did admit that internal account data had also been exposed. This includes people's email addresses, user IDs, size preferences, and most importantly, "one-way encrypted passwords salted uniquely per user". The retailer then went on to explain that it had used bcrypt – one of the few hashing algorithms that are considered secure enough to be used for storing passwords. Despite this, Poshmark advised its users to change their passwords just in case.
On the face of it, then, while the 36 million Poshmark customers should be on the lookout for spam and phishing emails, there's not much to panic about. New information emerged on Monday, however, which does sound a bit worrying.
Hackers are allegedly selling cracked Poshmark passwords
After Troy Hunt announced that the Poshmark data has been loaded into HaveIBeenPwned, Bleeping Computer got in touch with JimScott.Sec@protonmail.com (who has experience in dealing with this sort of incidents, by the way) and asked a few questions about the information. The mysterious individual told the security news website that he had seen the full database, with all 36 million accounts in it, changing hands on the dark web for as little as $750. He also noted, however, that he had seen about 1 million cracked Poshmark accounts being offered at a much higher price. If that is true, the hackers are selling complete sets of login credentials, which means that they have somehow managed to retrieve people's plaintext passwords.
That's an interesting twist because if Poshmark's initial disclosure is truthful, the passwords shouldn't be retrievable. Experts say that bcrypt is a suitable algorithm for hashing passwords for a very good reason. While it might be theoretically possible to crack it, even with today's powerful hardware, doing it is not practical. This suggests that either the clothing retailer's implementation wasn't correct or the hackers simply guessed the 1 million Poshmark passwords they're selling.
Whatever the case, the mere fact that these credentials are traded on the underground markets once again highlights how important it is to protect all your accounts with strong, unique passwords.