E-Commerce Site StockX Confirms It Was Hacked, Exposing Data From 6.8 Million Customers

Image: Jeff Kowalsky, AP

It looks like this week is dead set on proving that old superstition about bad omens: They always come in threes.

First Capital One announced a massive data breach. Then the Entertainment Software Association leaked a bunch of professionals’ personal information. And now multiple reports say the “system updates” e-commerce platform StockX claimed to have earlier this week were actually the result of a hacker making off with 6.8 customers’ records.

Topping off this trash heap of news, the full scale of this last breach only came to light after a black market data seller reportedly approached TechCrunch claiming (and later, proving) they had their hands on the stolen data.

On Friday, users received a password reset email from StockX, a popular Detroit-based fashion and sneaker trading site recently valued at more than $1.4 billion. The company’s message attributed the reset to “recently completed system updates on the StockX platform.” When pressed by reporters though, that answer quickly changed.

“StockX was recently alerted to suspicious activity potentially involving our platform,” a company spokesperson told Engadget on Friday without commenting further.

According to the report TechCrunch released Sunday, a data seller informed them a hacker stole 6.8 million records from StockX back in May, data they subsequently bought from an undisclosed source. TechCrunch verified the claims using a sample of 1000 records the seller provided to contact users and confirm information only they would know.

The next day, StockX provided a statement to Engadget confirming a breach occurred and detailing the stolen data. The lot included important personal information like user’s names, email addresses, and hashed passwords along with not so important personal information, like their shoes sizes and trading currencies.

“From our investigation to date, there is no evidence to suggest that customer financial or payment information has been impacted,” the statement reads.

Along with the password reset and other security measures, StockX also implemented a “system-wide security update” after discovering the breach, according to the statement. So that first email may have technically been true, even if it did leave out the whole “huge data breach” bit.

As to why the lack of transparency, the company said it had incomplete information since the investigation has been ongoing. After that TechCrunch report, though, their information seems to have firmed up in record time. As of writing this, the seller’s purportedly already sold the data for $US300 ($442) on the dark web, according to TechCrunch.

Gizmodo has reached out to StockX for comment, and will update this story with their response.

Trending Stories Right Now