StockX, an online marketplace for buying and selling sneakers, suffered a major data breach in May impacting 6.8 million customers. Records leaked included names, email addresses and hashed passwords. The full scale of this data breach came to light after an unnamed data breached seller contacted TechCrunch claiming information about the attack. Tech crunch then verified the claims by contacting people from a sample of 1,000 records using the information only they would know.
StockX released a statement yesterday acknowledging that a data breach had indeed occurred.
StockX says they were made aware of the breach on July 26 and immediately launched a forensic investigation and engaged experienced third-party data experts to assist. On getting evidence to suggest customer data may have been accessed by an unknown third party, they sent customers an email on August 3 to make them aware of the incident. This email surprisingly asked customers to reset their passwords citing system updates but said nothing about the data breach leaving users confused on what caused the alleged system update or why there was no prior warning.
Later the same day, StockX confirmed that they had discovered a data security issue and confirmed that an unknown third-party was able to gain access to certain customer data, including customer name, email address, shipping address, username, hashed passwords, and purchase history. The hashes were encrypted using MD5 with salts. According to weleakinfo, this is a very weak hashing algorithm; at least 90% of all hashes can be cracked successfully.
Users were infuriated that instead of being honest, StockX simply sent their customers an email asking them to reset their passwords.
https://twitter.com/Asaud_7/status/1157843000170561536
https://twitter.com/kustoo/status/1157735133157314561
https://twitter.com/RunWithChappy/status/1157851839754383360
StockX released a system-wide security update, a full password reset of all customer passwords with an email to customers alerting them about resetting their passwords, a high-frequency credential rotation on all servers and devices and a lockdown of their cloud computing perimeter. However, they were a little too late in their ‘ongoing investigation’ as they mention on their blog. Techcrunch revealed that the seller had put the data for sale for $300 in a dark web listing and one person had already bought the data. StockX is also subject to EU’s General Data Protection Regulation considering it has a global customer base and can be potentially fined for the incident.
https://twitter.com/ComplexSneakers/status/1157754866460221442
According to FTC, StockX is also not compliant with the US laws regarding a data breach.
https://twitter.com/zruss/status/1157785830200619008
Following Capital One data breach, GitHub gets sued and AWS security questioned by a US Senator.
British Airways set to face a record-breaking fine of £183m by the ICO over customer data breach.
U.S. Senator introduces a bill that levies jail time and hefty fines for companies violating data breaches.
Unlock access to the largest independent learning library in Tech for FREE!
Get unlimited access to 7500+ expert-authored eBooks and video courses covering every tech area you can think of.
Renews at ₹800/month. Cancel anytime
United States
United Kingdom
India
Germany
France
Canada
Russia
Spain
Brazil
Australia
Argentina
Austria
Belgium
Bulgaria
Chile
Colombia
Cyprus
Czechia
Denmark
Ecuador
Egypt
Estonia
Finland
Greece
Hungary
Indonesia
Ireland
Italy
Japan
Latvia
Lithuania
Luxembourg
Malaysia
Malta
Mexico
Netherlands
New Zealand
Norway
Philippines
Poland
Portugal
Romania
Singapore
Slovakia
Slovenia
South Africa
South Korea
Sweden
Switzerland
Taiwan
Thailand
Turkey
Ukraine
