Poshmark Retailer Member Passwords Are Being Sold Online

There is grim news for users of the online marketplace Poshmark, which is a thriving community where people buy and sell used clothing and other accessories.  Recently it has come to light that the login details of more than 36 million of the company's 40 million members were acquired by an unauthorized third-party.  Worse, those details have been found for sale on the Dark Web.

The stolen data was fairly extensive and included each user's username, real name, email address, gender, geographic location, and hashed password.  If there's a silver lining to be found in the aftermath of the incident, it is the fact that Poshmark disclosed the breach promptly. They reported that they had used the bcrypt algorithm to hash user passwords, which makes it less likely, (though not impossible), for the hackers to actually gain access to those passwords.

Unfortunately, there appears to be steady demand for the Poshmark data.  Despite the fact that Poshmark did its part by protecting their members' passwords with a strong hashing algorithm, the sad truth is that many users have bad password habits. Thus, the hackers reasoning, a majority of the passwords being protected are notoriously weak and those accounts may be able to be accessed via brute force methods.

This latest incident underscores three key points:

• Anyone online should begin to develop better password habits immediately.
• Anywhere two-factor authentication is available, it should also be used.
• If you're a Poshmark customer, you should change your password immediately.

These pieces of advice are no different today than they were when we talked about the last major breach, and they'll be identical to the advice given when we talk about the next one.  The hackers won't stop until and unless we make it not worth the effort.