Poshmark 2018 Data Breach

Poshmark Fashion Resale Marketplace Breach (2018): 36 Million User Accounts Including Passwords Exposed | ObscureIQ
ObscureIQ Breach Intelligence

Classification Tags

MisconfigurationRetailSocial CommerceEmail AddressFull NameGenderGeographic LocationPasswordUsername
Low SeverityWebsite / service breach

Poshmark Fashion Resale Marketplace Breach (2018): 36 Million User Accounts Including Passwords Exposed

Social commerce marketplace for fashion.

Verified by ObscureIQ Intelligence
19/100Breach Risk Index
10Data Value
10Market Recency
2429dSince Breach

Breach Intelligence Summary

Entity: Poshmark · Actor: Unknown · Sources: 7 references
Attack: Misconfiguration
Profile: Platform · Fashion resale marketplace · Social commerce platform · Global
Timeline: Breach (2018-05-16) · Indexed (Sep 02, 2019) · Year (2018)
Exposure: 36.4M records · 6 fields: Email Address, Full Name, Gender, Geographic Location, Password, Username
Status: Confirmed

Executive Summary

Poshmark, a social commerce marketplace where users buy and sell clothing and goods, suffered a data breach in mid-2018 that exposed approximately 36.4 million user accounts. An unauthorized third party accessed user data through a misconfiguration. The breach was not publicly disclosed until August 2019, more than a year after it occurred, when Poshmark announced the incident after being contacted by security researchers. The exposed data included email addresses, full names, usernames, genders, geographic locations, and passwords. The passwords were stored using bcrypt, a relatively strong hashing method, which reduces but does not eliminate the risk of them being cracked. Financial information and physical addresses were not affected. Because Poshmark combines social networking with retail activity, the exposed data can also reveal users' shopping habits and personal interests, adding context that makes phishing and impersonation attempts more convincing. Poshmark notified affected users, forced password resets, and advised users to update passwords on any other accounts where the same credentials were used. No prominent class-action settlement or regulatory action has been documented in connection with this breach. Affected individuals remain at risk of targeted phishing, account takeover, and seller impersonation, particularly if they reused their Poshmark password elsewhere.

ObscureIQ assessment: Exposure enables phishing, seller impersonation, order fraud, and account abuse. Social-commerce activity can also reveal spending habits and personal style preferences.

Breach Impact

In mid-2018 Poshmark suffered a breach exposing approximately 36 million user accounts. The exposed data included email addresses, full names, usernames, genders, geographic locations, and passwords stored as bcrypt hashes. Poshmark disclosed the incident in August 2019 after being contacted by security researchers. The company notified users, forced password resets, and advised users to change passwords on other accounts where the same credentials had been used. No class-action settlement or significant regulatory action specific to this breach has been prominently documented.

About Poshmark

Poshmark is a social commerce marketplace where individuals buy and sell new and secondhand clothing, accessories, and home goods. Founded in 2011 and headquartered in Redwood City, California, the platform went public on Nasdaq in 2021 before being acquired by South Korean internet company Naver in 2023 for approximately $1.2 billion. The platform combines social networking features — following, sharing, and liking — with peer-to-peer retail commerce.

Why They Hold Your Data

Social-commerce marketplaces collect buyer and seller identity, contact details, addresses, payment-adjacent data, transaction histories, and social-engagement records across resale workflows.

Recent Developments

Following Naver's 2023 acquisition, Poshmark has operated as part of the same portfolio as Wattpad and the Naver-affiliated webtoon ecosystem. The company has continued developing its marketplace features and expanding in international markets. No major standalone organizational developments beyond the acquisition context have been prominently reported.

Data Points Exposed

6 verified field types
Email Address
Full Name High
Gender
Geographic Location
Password Critical
Username

Field names are shown in full for clarity and search visibility. Canonical machine keys are emitted only in this page’s structured data.

Exploitation & Downstream Threats

Threat Activity:Critical
Primary downstream threats:
  • Credential stuffing against reused passwords across other platforms
  • Targeted phishing campaigns using exposed email addresses
  • Doxxing risk from physical address exposure
Threat vectors:
  • Phishing, credential stuffing & account takeover
  • Name-based social engineering
  • Profile enrichment
  • Pattern-of-life analysis & physical surveillance
  • Credential stuffing & account takeover
  • Cross-platform tracking & credential stuffing

Recommended Actions

If you believe your information may be included:

Change Reused Passwords
Update this account and anywhere you reused the password; use a manager.
Password manager guide
Enable MFA Everywhere
Turn on multi-factor authentication on email first, then financial accounts.
Find 2FA settings
Report & Recover
If you spot misuse, start an official recovery plan and report fraud.
IdentityTheft.govReport to FTC

Frequently Asked Questions

What happened in the Poshmark breach?

Poshmark, a social commerce marketplace where users buy and sell clothing and goods, suffered a data breach in mid-2018 that exposed approximately 36.4 million user accounts. An unauthorized third party accessed user data through a misconfiguration. The breach was not publicly disclosed until…

What data was exposed?

Verified fields include Email Address, Full Name, Gender, Geographic Location, Password, Username.

What should I do if I was affected?

Change reused passwords, enable MFA, and (if identity or financial data is involved) freeze your credit and monitor your accounts.

Sources & References

Every claim on this page is traceable. This breach draws on:

Breach Index
Have I Been Pwned
Record & field corroboration
Breach Index
DataBreach.com
Record & field corroboration
Cross-source
9ghz
Independent catalogue listing
Cross-source
BreachForums_Official_Index
Independent catalogue listing
Cross-source
DataViper.io
Independent catalogue listing
Cross-source
leakfind
Independent catalogue listing
ObscureIQ Intelligence
ObscureIQ proprietary analysis
Risk Index scoring & downstream-threat assessment

Protect Yourself

Check If You're Affected

Enter your email to check whether your data appears in this breach. We’ll send a 6-digit code to confirm it’s your address.

Get Free Breach Alerts

Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.

High-Risk? Get an Exposure Audit

Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.

Request Consultation