Online sneaker marketplace failed to come clean about 6.8M record data breach

Online sneaker marketplace failed to come clean about 6.8M record data breach

StockX — a popular online marketplace for sneakerheads and streetwear aficionados to trade apparel — is the latest company to fall victim to a massive data breach affecting millions of its users.

As if that wasn’t bad enough, TechCrunch reported over the weekend that the incident happened almost three months ago, in May.

Although StockX has not disclosed the exact number of affected users, the marketplace said “an unknown third-party was able to gain access to certain customer data, including customer name, email address, shipping address, username, hashed passwords, and purchase history.”

TechCrunch’s report, however, puts the number at 6.8 million after an unnamed data breach seller contacted the publication with the information.

The seller declined to say how they obtained the data. In a dark web listing, the seller put the data for sale for $300. One person at the time of writing already bought the data.

StockX, for its part, has maintained that it found no evidence of customers’ financial or payment information being affected as a result of the breach. But some users on Twitter are pointing out that fraudulent purchases have been made through their accounts.

From “system updates” to “suspicious activity”

TechCrunch, which had access to a sample of 1,000 records, said the stolen information also included shoe size, trading currency, the user’s device type (Android or iPhone) and software version, and also “whether or not the user was banned or if European users had accepted the company’s GDPR message.”

The revelations came two days after StockX sent suspicious “password reset” emails to its customers without any prior warning, on August 1. “We recently completed system updates on the StockX platform. To access your account, reset your password by clicking below,” the email read.

While StockX founder Josh Luber confirmed the password resets were “legit,” it wasn’t until Saturday the actual reason behind the “system updates” was revealed.

Following the breach and amid the ongoing forensic investigation, the company has issued a password reset of all its users, and implemented a lockdown of its cloud infrastructure systems.

The ecommerce platform also said when the original password reset emails were sent to its users, the nature, extent, or scope of suspicious activity was not yet known.

But several questions remain unanswered. Given that the security incident occurred in May, who alerted StockX to the data breach, and when? When did the investigation start? Why did it fail to alert customers immediately after discovering the breach? Why send just a password reset email instead of coming clean that there had been a case of unauthorized access?

Credit: Edgar Alvarez / Twitter
The password reset email sent by StockX

A data-breach fatigue

The Detroit-based company was valued at over $1 billion after raising $110 million in June, and even appointed former eBay SVP Scott Cutler to be its new chief executive.

But by not being fully transparent, the lifestyle goods resale marketplace has put itself in a tight spot. It’s most likely that the new-found fortune will take a hit.

With this incident, StockX joins a steady stream of companies who have had their systems breached in recent weeks. Last week, US bank Capital One disclosed a security incident impacting 106 million customers, as did clothing reseller Poshmark, which discovered that data from some of its 50 million users was acquired by an unauthorized third party.

Outside of the personal costs involved, the wave of frequent breaches has the real danger of setting off a data-breach fatigue — potentially leading netizens to become desensitized to the whole idea of privacy and security in a digital world.

The Identity Theft Resource Center (ITRC) — in its 2018 End-of-Year Data Breach Report — noted that while the number of breaches reported year over year declined by 23 percent, the amount of personally identifiable information exposed shot up by 126 percent.

Ultimately, it’s the users wanting an online experience that’s transparent and trustworthy who end up getting a raw deal. “It’s concerning that they were hacked, and our data is being sold on the #darknet but makes it worse that @stockx wasn’t honest with its customers,” said a customer in a tweet.

Read next: Iran further solidifies stance on cryptocurrency mining, but says trading is ‘unlawful’