Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon

StockX confirms a data breach impacting 6.8 million customers

Save for later
  • 3 min read
  • 09 Aug 2019

article-image

StockX, an online marketplace for buying and selling sneakers, suffered a major data breach in May impacting 6.8 million customers. Records leaked included names, email addresses and hashed passwords. The full scale of this data breach came to light after an unnamed data breached seller contacted TechCrunch claiming information about the attack. Tech crunch then verified the claims by contacting people from a sample of 1,000 records using the information only they would know.

StockX released a statement yesterday acknowledging that a data breach had indeed occurred.

StockX says they were made aware of the breach on July 26 and immediately launched a forensic investigation and engaged experienced third-party data experts to assist. On getting evidence to suggest customer data may have been accessed by an unknown third party, they sent customers an email on August 3 to make them aware of the incident. This email surprisingly asked customers to reset their passwords citing system updates but said nothing about the data breach leaving users confused on what caused the alleged system update or why there was no prior warning.

Later the same day, StockX confirmed that they had discovered a data security issue and confirmed that an unknown third-party was able to gain access to certain customer data, including customer name, email address, shipping address, username, hashed passwords, and purchase history. The hashes were encrypted using MD5 with salts. According to weleakinfo, this is a very weak hashing algorithm; at least 90% of all hashes can be cracked successfully.

Users were infuriated that instead of being honest, StockX simply sent their customers an email asking them to reset their passwords.

https://twitter.com/Asaud_7/status/1157843000170561536

https://twitter.com/kustoo/status/1157735133157314561

https://twitter.com/RunWithChappy/status/1157851839754383360

StockX released a system-wide security update, a full password reset of all customer passwords with an email to customers alerting them about resetting their passwords, a high-frequency credential rotation on all servers and devices and a lockdown of their cloud computing perimeter. However, they were a little too late in their ‘ongoing investigation’ as they mention on their blog. Techcrunch revealed that the seller had put the data for sale for $300 in a dark web listing and one person had already bought the data. StockX is also subject to EU’s General Data Protection Regulation considering it has a global customer base and can be potentially fined for the incident.

https://twitter.com/ComplexSneakers/status/1157754866460221442

According to FTC, StockX is also not compliant with the US laws regarding a data breach.

https://twitter.com/zruss/status/1157785830200619008


Following Capital One data breach, GitHub gets sued and AWS security questioned by a US Senator.

British Airways set to face a record-breaking fine of £183m by the ICO over customer data breach.

U.S. Senator introduces a bill that levies jail time and hefty fines for companies violating data breaches.

Unlock access to the largest independent learning library in Tech for FREE!
Get unlimited access to 7500+ expert-authored eBooks and video courses covering every tech area you can think of.
Renews at €18.99/month. Cancel anytime