Tell HN: Poshmark instantly leaked my email to scammers

9•hardenedmetapod•2w ago

Browsing for an obscure piece of electronics, I ran across a Poshmark listing that had it for considerably cheaper than anywhere else.

I didn't have an account yet, so I signed up with Google SSO and was able to place the order.

About an hour later I got an email as if I was the seller telling me to click this link to verify my account for my funds to be deposited.

Obviously phishing. Upon closer inspection, I had two earlier that were properly filtered to spam that were about 30 minutes after the order.

So the question here is what part of their system is so fundamentally broken that scammers instantly get my email? Does the seller get that upon me making that purchase?

And if that's not the case, then that means somebody has completely compromised their system.

Comments

myself248•2w ago

Yikes. I wonder if there's a way to differentiate between the bad-seller and the poshmark-is-compromised case.

chrisjj•2w ago

Sure. Be a seller.

hardenedmetapod•2w ago

There's a third case that I never considered.

Google SSO is the promoted way of signing in and it auto assigns your email to the username without any special characters so scammers could just be scraping new accounts and making a best guess at the email.

Lame.

chrisjj•2w ago

I'd call that the first case and the second case. Lame indeed.

chrisjj•2w ago

> So the question here is what part of their system is so fundamentally broken that scammers instantly get my email?

Perhaps none. Did the T&Cs permit this disclosure?

hardenedmetapod•2w ago

Not that I can see offhand. It mentions using your email for correspondence and copyright disputes.

chrisjj•2w ago

I'd say odds on Poshmark leaking your address to the seller.

The fact you got spam so soon makes me wonder, did you get your goods?

altairprime•2w ago

Sounds exactly like a common website “significantly cheaper” scam, only on Poshmark slash Etsy slash Amazon, where the seller is provided your contact info in order to ship you things. Did they have a history of completed sales? Did you ask any questions and get a response (or not) before purchasing? Someone always ends up being the first rube at any online marketplaces from a scam seller who hasn’t been reported yet, at least when said marketplaces aren’t doing serious in-person identity verification first, and this time you’re the lucky one.

OpenAI might pivot to the "most addictive digital friend" or face extinction

Show HN: Know how your SaaS is doing in 30 seconds

ClawdBot Ordered Me Lunch

What the News media thinks about your Indian stock investments

Running Lua on a tiny console from 2001

Google and Microsoft Paying Creators $500K+ to Promote AI Tools

New filtration technology could be game-changer in removal of PFAS

Show HN: I saw this cool navigation reveal, so I made a simple HTML+CSS version

Kinda Surprised by Seadance2's Moderation

I Write Games in C (yes, C)

Django scales. Stop blaming the framework (part 1 of 3)

Malwarebytes Is Now in ChatGPT

Thoughts on the job market in the age of LLMs

Show HN: Stacky – certain block game clone

AIII: A public benchmark for AI narrative and political independence

SectorC: A C Compiler in 512 bytes

The API Is a Dead End; Machines Need a Labor Economy

Digital Iris [video]

New wave of GLP-1 drugs is coming–and they're stronger than Wegovy and Zepbound

Convert tempo (BPM) to millisecond durations for musical note subdivisions

Show HN: Tasty A.F.

The Contagious Taste of Cancer

U.S. Jobs Disappear at Fastest January Pace Since Great Recession

Bithumb mistakenly hands out $195M in Bitcoin to users in 'Random Box' giveaway

Beyond Agentic Coding

OpenClaw ClawHub Broken Windows Theory – If basic sorting isn't working what is?

OpenBSD Copyright Policy

OpenClaw Creator: Why 80% of Apps Will Disappear

What Happens When Technical Debt Vanishes?

AI Is Finally Eating Software's Total Market: Here's What's Next

OpenAI might pivot to the "most addictive digital friend" or face extinction

Show HN: Know how your SaaS is doing in 30 seconds

ClawdBot Ordered Me Lunch

What the News media thinks about your Indian stock investments

Running Lua on a tiny console from 2001

Google and Microsoft Paying Creators $500K+ to Promote AI Tools

New filtration technology could be game-changer in removal of PFAS

Show HN: I saw this cool navigation reveal, so I made a simple HTML+CSS version

Kinda Surprised by Seadance2's Moderation

I Write Games in C (yes, C)

Django scales. Stop blaming the framework (part 1 of 3)

Malwarebytes Is Now in ChatGPT

Thoughts on the job market in the age of LLMs

Show HN: Stacky – certain block game clone

AIII: A public benchmark for AI narrative and political independence

SectorC: A C Compiler in 512 bytes

The API Is a Dead End; Machines Need a Labor Economy

Digital Iris [video]

New wave of GLP-1 drugs is coming–and they're stronger than Wegovy and Zepbound

Convert tempo (BPM) to millisecond durations for musical note subdivisions

Show HN: Tasty A.F.

The Contagious Taste of Cancer

U.S. Jobs Disappear at Fastest January Pace Since Great Recession

Bithumb mistakenly hands out $195M in Bitcoin to users in 'Random Box' giveaway

Beyond Agentic Coding

OpenClaw ClawHub Broken Windows Theory – If basic sorting isn't working what is?

OpenBSD Copyright Policy

OpenClaw Creator: Why 80% of Apps Will Disappear

What Happens When Technical Debt Vanishes?

AI Is Finally Eating Software's Total Market: Here's What's Next

Tell HN: Poshmark instantly leaked my email to scammers

Comments