Tell HN: Poshmark instantly leaked my email to scammers

9•hardenedmetapod•2w ago

Browsing for an obscure piece of electronics, I ran across a Poshmark listing that had it for considerably cheaper than anywhere else.

I didn't have an account yet, so I signed up with Google SSO and was able to place the order.

About an hour later I got an email as if I was the seller telling me to click this link to verify my account for my funds to be deposited.

Obviously phishing. Upon closer inspection, I had two earlier that were properly filtered to spam that were about 30 minutes after the order.

So the question here is what part of their system is so fundamentally broken that scammers instantly get my email? Does the seller get that upon me making that purchase?

And if that's not the case, then that means somebody has completely compromised their system.

Comments

myself248•2w ago

Yikes. I wonder if there's a way to differentiate between the bad-seller and the poshmark-is-compromised case.

chrisjj•2w ago

Sure. Be a seller.

hardenedmetapod•2w ago

There's a third case that I never considered.

Google SSO is the promoted way of signing in and it auto assigns your email to the username without any special characters so scammers could just be scraping new accounts and making a best guess at the email.

Lame.

chrisjj•2w ago

I'd call that the first case and the second case. Lame indeed.

chrisjj•2w ago

> So the question here is what part of their system is so fundamentally broken that scammers instantly get my email?

Perhaps none. Did the T&Cs permit this disclosure?

hardenedmetapod•2w ago

Not that I can see offhand. It mentions using your email for correspondence and copyright disputes.

chrisjj•2w ago

I'd say odds on Poshmark leaking your address to the seller.

The fact you got spam so soon makes me wonder, did you get your goods?

altairprime•2w ago

Sounds exactly like a common website “significantly cheaper” scam, only on Poshmark slash Etsy slash Amazon, where the seller is provided your contact info in order to ship you things. Did they have a history of completed sales? Did you ask any questions and get a response (or not) before purchasing? Someone always ends up being the first rube at any online marketplaces from a scam seller who hasn’t been reported yet, at least when said marketplaces aren’t doing serious in-person identity verification first, and this time you’re the lucky one.

Show HN: Minecraft Creeper meets 90s Tamagotchi

Show HN: Termiteam – Control center for multiple AI agent terminals

The only U.S. particle collider shuts down

Ask HN: Why do purchased B2B email lists still have such poor deliverability?

Show HN: Remotion directory (videos and prompts)

Portable C Compiler

Show HN: Kokki – A "Dual-Core" System Prompt to Reduce LLM Hallucinations

Software Engineering Transformation 2026

Microsoft purges Win11 printer drivers, devices on borrowed time

Lunch with the FT: Tarek Mansour

Old Mexico and her lost provinces (1883)

'AI' is a dick move, redux

The source code was the moat. But not anymore

Does anyone else feel like their inbox has become their job?

An AI model that can read and diagnose a brain MRI in seconds

Dev with 5 of experience switched to Rails, what should I be careful about?

AlphaFace: High Fidelity and Real-Time Face Swapper Robust to Facial Pose

Scientists discover “levitating” time crystals that you can hold in your hand

Rammstein – Deutschland (C64 Cover, Real SID, 8-bit – 2019) [video]

Tell HN: Yet Another Round of Zendesk Spam

Postgres Message Queue (PGMQ)

Show HN: Django-rclone: Database and media backups for Django, powered by rclone

NY lawmakers proposed statewide data center moratorium

OpenClaw AI chatbots are running amok – these scientists are listening in

Show HN: AI agent forgets user preferences every session. This fixes it

Introduce the Vouch/Denouncement Contribution Model

Show HN: SSHcode – Always-On Claude Code/OpenCode over Tailscale and Hetzner

Microsoft appointed a quality czar. He has no direct reports and no budget

Multi-agent coordination on Claude Code: 8 production pain points and patterns

Washington Post CEO Will Lewis Steps Down After Stormy Tenure

Show HN: Minecraft Creeper meets 90s Tamagotchi

Show HN: Termiteam – Control center for multiple AI agent terminals

The only U.S. particle collider shuts down

Ask HN: Why do purchased B2B email lists still have such poor deliverability?

Show HN: Remotion directory (videos and prompts)

Portable C Compiler

Show HN: Kokki – A "Dual-Core" System Prompt to Reduce LLM Hallucinations

Software Engineering Transformation 2026

Microsoft purges Win11 printer drivers, devices on borrowed time

Lunch with the FT: Tarek Mansour

Old Mexico and her lost provinces (1883)

'AI' is a dick move, redux

The source code was the moat. But not anymore

Does anyone else feel like their inbox has become their job?

An AI model that can read and diagnose a brain MRI in seconds

Dev with 5 of experience switched to Rails, what should I be careful about?

AlphaFace: High Fidelity and Real-Time Face Swapper Robust to Facial Pose

Scientists discover “levitating” time crystals that you can hold in your hand

Rammstein – Deutschland (C64 Cover, Real SID, 8-bit – 2019) [video]

Tell HN: Yet Another Round of Zendesk Spam

Postgres Message Queue (PGMQ)

Show HN: Django-rclone: Database and media backups for Django, powered by rclone

NY lawmakers proposed statewide data center moratorium

OpenClaw AI chatbots are running amok – these scientists are listening in

Show HN: AI agent forgets user preferences every session. This fixes it

Introduce the Vouch/Denouncement Contribution Model

Show HN: SSHcode – Always-On Claude Code/OpenCode over Tailscale and Hetzner

Microsoft appointed a quality czar. He has no direct reports and no budget

Multi-agent coordination on Claude Code: 8 production pain points and patterns

Washington Post CEO Will Lewis Steps Down After Stormy Tenure

Tell HN: Poshmark instantly leaked my email to scammers

Comments