Last week, online sneaker marketplace StockX disclosed a major data breach that originally took place in May.
The hack had exposed names, email addresses, shipping addresses, usernames, shoe sizes, hashed passwords, and purchase histories of about 6.8 million customers.
According to Bleeping Computer, the stolen data is now being sold online on dark web.
Have I been Pwned to the rescue
A report by TechCrunch published on August 3 revealed how an unnamed data breach seller had reached out to the publication without saying where or how they obtained the data, and noted the data had a price tag of $300 on a dark web listing.
To see if you’re among those impacted, head to Troy Hunt’s data breach site Have I been Pwned, which added the stolen database over the weekend. To avoid bad actors from exploiting this information to stage credential stuffing attacks, you should immediately consider changing your passwords.
And here’s the @StockX data being sold on the dark web. According to the listing, it’s worth about $300 and it’s already been sold to one person. (We’re not linking to the listing.) pic.twitter.com/6YpEJATEQR
— Zack Whittaker (@zackwhittaker) August 3, 2019
“Anywhere where users have reused StockX passwords is now vulnerable to account takeovers and credential stuffing attacks,” said Jarrod Overson, director of engineering at Shape Security, a Mountain View-based enterprise-focused security startup .
“Users should change all passwords on sites where they have used the same password. At times like this it is a good reminder to consider using a password manager. Password managers can ensure all your passwords are virtually uncrackable and are unique across all sites.”
New details emerge
StockX initially had sent password reset emails under the guise of “system updates,” but a couple of days later it admitted it had fallen victim to a data breach.
While the investigation is still in progress, CEO Scott Cutler sent out a letter on August 8 apologizing for any ambiguity that may have resulted from their misleading initial communication.
The company also clarified it was first alerted to the incident on July 26, after which it was determined that an “unknown third-party” had gotten access to sensitive customer data.
As a compensation, it’s offering 12 months of free fraud detection and identity theft protection to all affected customers.