Dehashed login details for customers of Poshmark, an online marketplace for buying and selling used clothes and accessories, have been circulating online following the data breach a few months ago.
At the beginning of the year, Poshmark announced that it had 40 million community members. According to data breach platform Have I Been Pwned, login details of more than 36 million customers were acquired by an unauthorized party.
The data includes email addresses, hashed passwords, gender, geographic location, names, and usernames.
Good hash algorithm
When it disclosed the incident on August 1, Poshmark said that it uses the bcrypt algorithm to hash sensitive details such as passwords.
This algorithm is recommended by the security industry for securely storing passwords as it is more resistant to offline brute force attacks.
Data hashed with bcrypt can still be cracked, though, even if each string is scrambled with unique salt data, as Poshmark claims to have used.
According to Jim Scott, who is credited for providing the Poshmark database to Have I Been Pwned, the details were initially put up for sale on the dark web for $750.
Cracked passwords available
It is unclear in what form it circulated at the beginning but the price tag suggests that the passwords were hashed. However, the other details, like email, geographic location, and gender could prove to be valuable information for spammers or malware distributors.
Scott told BleepingComputer that they saw cracked Poshmark accounts circulating online, about one million of them.
Of course, the price for dehashed accounts would increase significantly, as these can be used in credential stuffing attacks. As many users tend to ignore data breach security warnings, cybercriminals can even try the logins on Poshmark and hijack accounts.
Users should pay attention to data breach notifications and change the passwords for affected accounts as soon as they learn of a potential compromise.
Strong, unique credentials are still the norm to defend against cracking attempts. The allowed password length and characters differ from one service provider to another, but it is recommended to set the longest supported password and use all characters allowed.
Where available, two-factor authentication should be enabled, as it prevents hackers to log into your account with just the username and password.
For more cybersecurity news and insights: https://ascensiongt.com/cybersecurity-news-and-insights/