Latest in Gear

Image credit: Kimberly P. Mitchell/Detroit Free Press/TNS/Sipa USA

StockX confirms it was hacked (updated)

Attackers reportedly stole records from 6.8 million customers.
295 Shares
Share
Tweet
Share
Save

Sponsored Links

Kimberly P. Mitchell/Detroit Free Press/TNS/Sipa USA

StockX's warning of "suspicious activity" appears to have stemmed from a serious data breach. TechCrunch has learned through a black market data seller that a hacker stole 6.8 million records from the shoe trading site in May, including names, email addresses and (thankfully hashed) passwords. The data also included less vital info like shoe sizes, trading currencies and device version profiles.

TC verified the claims by contacting people from a sample of 1,000 records using information only they would know.

While the intruders don't appear to have taken particularly sensitive info, like payment cards, it's still a significant breach -- especially when the seller intends to make the data available through the dark web. It also raises questions as to why StockX alerted users to password resets without explaining what had happened or the extent to which users' data was at risk. Simply put, victims didn't know how large the problem really was.

Update (8/3/19, 10:45PM ET): StockX has confirmed to Engadget that it suffered a data breach. Below is the full statement from the company.

StockX cares deeply about the privacy of our customers. In recent days, our company has discovered a data security issue, and we want to provide you with an update on this situation.

We were alerted to suspicious activity potentially involving customer data. Upon learning of the suspicious activity, we immediately launched a comprehensive forensic investigation and engaged third-party data incident and forensic experts to assist. Though our investigation remains ongoing, forensic evidence to date suggests that an unknown third-party was able to gain access to certain customer data, including customer name, email address, shipping address, username, hashed passwords, and purchase history. From our investigation to date, there is no evidence to suggest that customer financial or payment information has been impacted.

While conducting our forensic investigation into the suspicious activity, and out of an abundance of caution, we implemented immediate infrastructure changes to mitigate and address any potential effects of the suspicious activity. These infrastructure changes included:

  • a system-wide security update;
  • a full password reset of all customer passwords with an email to customers alerting them about resetting their passwords;
  • high-frequency credential rotation on all servers and devices; and
  • a lockdown of our cloud computing perimeter


We want you to know that we took these steps proactively and immediately, because we had just begun our investigation and did not yet know the nature, extent, or scope of suspicious activity to which we had been alerted. Though we had incomplete information, we felt a responsibility to act immediately to protect our customers while our investigation continued—and we took steps to do so.

Again, we take data security and privacy very seriously, and will continue to communicate with our customers and work hard to protect those who trust us with their shopping experience.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
295 Shares
Share
Tweet
Share
Save

Popular on Engadget

Engadget's 2019 Back-to-School Guide

Engadget's 2019 Back-to-School Guide

View
Chicago will test Samsung's DeX in-vehicle solution in cop cars

Chicago will test Samsung's DeX in-vehicle solution in cop cars

View
Apple warns against storing its titanium credit card in leather

Apple warns against storing its titanium credit card in leather

View
Microsoft tests more control for apps that restart with Windows 10

Microsoft tests more control for apps that restart with Windows 10

View
Terminator T-800 and The Joker are coming to 'Mortal Kombat 11'

Terminator T-800 and The Joker are coming to 'Mortal Kombat 11'

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr