StockX, an online marketplace for buying and selling sneakers, suffered a major data breach in May impacting 6.8 million customers. Records leaked included names, email addresses and hashed passwords. The full scale of this data breach came to light after an unnamed data breached seller contacted TechCrunch claiming information about the attack. Tech crunch then verified the claims by contacting people from a sample of 1,000 records using the information only they would know.
StockX released a statement yesterday acknowledging that a data breach had indeed occurred.
StockX says they were made aware of the breach on July 26 and immediately launched a forensic investigation and engaged experienced third-party data experts to assist. On getting evidence to suggest customer data may have been accessed by an unknown third party, they sent customers an email on August 3 to make them aware of the incident. This email surprisingly asked customers to reset their passwords citing system updates but said nothing about the data breach leaving users confused on what caused the alleged system update or why there was no prior warning.
Later the same day, StockX confirmed that they had discovered a data security issue and confirmed that an unknown third-party was able to gain access to certain customer data, including customer name, email address, shipping address, username, hashed passwords, and purchase history. The hashes were encrypted using MD5 with salts. According to weleakinfo, this is a very weak hashing algorithm; at least 90% of all hashes can be cracked successfully.
Users were infuriated that instead of being honest, StockX simply sent their customers an email asking them to reset their passwords.
You claim to take this seriously, but this would’ve been covered up if not for @TechCrunch @zackwhittaker breaking this. Rather than be honest, a simple “reset your password” went out. As a comp. based on authenticity experts, ur biz practice is fake.
— Asaud7 (@Asaud_7) August 4, 2019
Another confirmation that @stockx was hacked and that it wasn't just a system update. They should've been honest. This could put thousands of users at risk. Very disappointing. https://t.co/a6vk4kFvWT
— Jacques Slade (@kustoo) August 3, 2019
Why did it take an article in TechCrunch being published for you to come clean. You really fucked up by not beating them to the punch, even if you didn’t know the full extent. Trust takes a long time to earn, but a second to lose. #stockx #Breach
— Run Chappy Run (@RunWithChappy) August 4, 2019
StockX released a system-wide security update, a full password reset of all customer passwords with an email to customers alerting them about resetting their passwords, a high-frequency credential rotation on all servers and devices and a lockdown of their cloud computing perimeter. However, they were a little too late in their ‘ongoing investigation’ as they mention on their blog. Techcrunch revealed that the seller had put the data for sale for $300 in a dark web listing and one person had already bought the data. StockX is also subject to EU’s General Data Protection Regulation considering it has a global customer base and can be potentially fined for the incident.
— Complex Sneakers (@ComplexSneakers) August 3, 2019
According to FTC, StockX is also not compliant with the US laws regarding a data breach.
According to the @FTC, @Stockx is not compliant with the laws regarding a data breach. The email telling us simply to change our password is not enough and extremely unprofessional coming from a billion dollar company. pic.twitter.com/GL8aGYhGn5
— zruss (🥺🌲) (@zruss) August 3, 2019