StockX confirms being hacked

China

StockX, a sneaker trading platform, has reportedly been hacked, exposing more than 6.8 million customer records. 

On Thursday, customers received a password reset email, with a message attributing the reset to “recently completed system updates on the StockX platform.”

The company did not explain further as to what caused the update, leaving customers confused. 

When questioned, a spokesperson stated that the company had been “alerted to suspicious activity”. 

In a report released by TechCrunch, an unnamed data breach seller claimed that more than 6.8 million records had been stolen from the site in May. The seller had put the data for sale for $300. 

To verify this, the seller had provided a sample of 1,000 records to TechCrunch, to contact customers and confirm information only they know, such as their shoe sizes and username combinations. 

The stolen data included, names, email addresses, hashed passwords, other profile information, as well as the user’s device type and the software version. 

In a statement published Saturday, StockX stated that upon learning of the suspicious activity, a forensic investigation had been launched, and the company had engaged with third-party data incident and forensic experts to assist.

“From our investigation to data, there is no evidence to suggest that customer financial or payment information has been impacted,” the statement said.

Whilst carrying out the investigation, StockX implemented “immediate infrastructure changes” to address any potential consequences of the suspicious activity. These include:

  • A system-wide security update;
  • A full password reset of all customer updates, with an email alerting them of the reset;
  • High-frequency credential rotation on all services and devices; and
  • A lockdown of our cloud computing perimeter.

“We want you to know that we took these steps proactively and immediately, because we had just begun our investigation and did not yet know the nature, extent, or scope of suspicious activity to which we had been alerted.”

Founder of Rendition Infosec, Jake Williams, commented that the company “robbed their users of the chance to evaluate their exposure”, by not informing them of the breach immediately after it occurred.


Catch the replays and discover the best talks from Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.