Blog

Poshmark Prevents Automated Account Takeover Fraud

May 20, 2025 | 4 MIN READ

by Jeff Harrell

A photo of a woman with a backpack in a denim shirt typing on a smartphone.
API Security
LinkedIn

Poshmark increased API security using the Cequence Unified API Protection (UAP) solution to block automated account takeover (ATO) attacks that were overwhelming their online marketplace. Poshmark is a leading social commerce marketplace that enables users to buy and sell new and secondhand styles for women, men, kids, homes, and more. Founded in 2011 in Redwood City, California, Poshmark has over 130 million registered users in its vibrant community across the U.S., Canada, Australia, and India.

The ease, simplicity and fun of the buying and selling experience has enabled millions of people around the world to bring their closet online with just a phone. As their marketplace grew, it opened the company up to an increase in malicious activity that needed to be addressed to preserve the user experience.

Enterprise Retailer Faces Surge in Account Takeover Attempts Amid Rapid Growth

Poshmark’s security team noticed an increase in the variety of new automated account takeover (ATO) attacks that used credential stuffing to compromise the accounts of their users. They saw this increase in attacks across both their web and API applications, neither of which had appropriate protections to detect and block these types of attacks. The attacks were automated by malicious bots, purpose-built for Poshmark’s infrastructure. These bots not only cause security issues, but can also increase infrastructure costs as well as skewing marketing and sales metrics due to increased traffic. Poshmark was in need of a modern bot management solution that could stop these attacks from disrupting the business and affecting customers.

Traditional CAPTCHA Methods Disrupted User Experience

To identify and block suspected automated attacks, the security team enabled a CAPTCHA challenge that created friction for user sign up and login, disrupting the user experience.
Poshmark looked for a security solution that could block automated fraud attacks while improving the experience for buyers and sellers, and they partnered with Cequence to deploy the Cequence Unified API Protection (UAP) platform.

The goal of the security team was to achieve the following:

  • Block Bots: Real-time, native blocking of all malicious bot traffic, ensuring that only real user traffic reaches the application.
  • Eliminate CAPTCHA: No longer rely on CAPTCHA as the primary way to distinguish human traffic from bot traffic.
  • Easy and Quick Deployment: They wanted to avoid the software cycles required to integrate Mobile SDK and JavaScript instrumentation required by other solutions.

Transformed Cybersecurity and Bot Management in Days

After implementing Cequence, Poshmark was able to block malicious bot traffic in real time before it reached their application. This enabled Poshmark to streamline the user experience and ensure that only legitimate users were on their platform.

Poshmark successes include:

  • Threat Prevention: Real-time blocking of malicious bot traffic, ensuring that only legitimate user traffic reached their mission-critical applications.
  • Fake Account Prevention: Blocked fake account creation used to conduct malicious activity across mobile and web sites.
  • Eliminate Downstream Impacts: By blocking ATO attacks and malicious user signups, they were able to significantly reduce downstream impacts such as reliability, uptime, and fraud.
  • Real Human Interactions: Ensure that all new comments on listed items were from real users and not fake comments from automated bots.
  • Improved User Experience: An improved user experience, only delivering CAPTCHA challenges for suspicious traffic to prevent bot activity.

What Poshmark Achieved with Cequence: API Protection at Scale

Through Cequence, the Poshmark security team reduced cancellations of sold items that were the result of fake listings generated by malicious activity. Moreover, they were able to dramatically reduce the impact of CAPTCHA challenges by 99.3%, no longer requiring a challenge for most logins. More significantly, Poshmark was able to block over 609,000 attempted ATO attacks, saving an estimated $2,192,400 in potential account losses.

Read the case study to learn more about how Cequence helped Poshmark improve API security.

Jeff Harrell

Author

Jeff Harrell

Director of product marketing

Jeff Harrell is the director of product marketing at Cequnce and has over 20 years of experience in the cybersecurity field. He previously held roles at McAfee, PGP, Qualys, and nCircle, and co-founded the company that created the first commercial ad blocker.

Related Articles

Black Hat 2023

August 8, 2023 | 2 MIN READ

Read Blog
What is Bot Management?

February 6, 2025 | 9 MIN READ

Read Blog
App Instrumentation: What It Is and How It Affects API Security

February 27, 2024 | 6 MIN READ

Read Blog
Cequence Security
5201 Great America Parkway
Suite 240
Santa Clara, CA 95054

+1 650 437 6338
Contact Us
Book a Demo
FOLLOW US
Twitter LinkedIn Youtube
PRODUCTS & SERVICES
INDUSTRIES
RESOURCES
SOLUTIONS
PARTNERS
COMPANY
© 2018-2025 Cequence Security, Inc. All rights reserved.
Privacy Policy | Cookie Policy | Responsible Disclosure Policy.