The e-commerce platform StockX notified customers that it discovered a data breach late last month in which an unknown hacker obtained and sold nearly 7 million customer records.
The Detroit-based company serves as a platform on which customers can buy and sell high-end deadstock sneakers, handbags, and apparel. StockX also provides authentication services for all traded products to ensure they aren’t knockoffs.
The first sign that something was amiss on StockX occurred on Aug. 1, when customers received email notifications that their passwords had been reset. The company falsely claimed the resets were needed following “system updates” it had performed.
The password reset notifications left several StockX customers perplexed. Some customers suspected the new password solicitation was a phishing scam. After all, the company had not reached out to customers to give them a heads-up. System updates are normal but they don’t normally require a password update.
TechCrunch later confirmed that StockX had been “alerted to suspicious activity” on its site but the company declined to elaborate. An unidentified cybercriminal contacted TechCrunch and claimed that a hacker had swiped more than 6.8 million records from the website in May. The person who contacted TechCrunch was hawking the stolen data on the dark web.
TechCrunch verified that the seller had indeed listed the data for sale on the dark web for $300. At the time, one sale had already been made.
TechCrunch also said the seller provided a sample of 1,000 of the stolen records. The data contained full names, email addresses, scrambled passwords, shoe size, trading currency, device type (such as Android or iPhone), and the software version, among other data. The company said it does not believe financial or payment information was compromised in the breach.
StockX alerted its customers of the hack on Aug. 8, disclosing that it had “discovered a data security issue” and was “alerted to suspicious activity potentially involving customer data.” The company said it first learned of the data breach on July 26.
The company is offering its customers free fraud detection and identity theft protection for a year. The data breach remains under investigation and the StockX said it has taken a series of remedial measures to safeguard its customers’ data.
Beasley Allen lawyer Archie Grubb handles cases involving fraud, including issues involving cybersecurity affecting consumers, the public and employees. If you feel you have a claim of economic loss related to cybersecurity issues, he would like to talk with you.