StockX — the $1 billion footwear resale startup and hypebeast moth lamp — was hacked this past May and now, according to TechCrunch, the personal data of over 6.8 million users is available for purchase on the dark web.
Despite having occurred three months ago, StockX kept the data breach under wraps until this past Thursday, when the company sent out an email asking users to reset their passwords due to “system updates.” Later that day, a spokesperson told TechCrunch that “the company was ‘alerted to suspicious activity’ on its site but declined to comment further.”
But then, an “unnamed data breached seller contacted TechCrunch claiming more than 6.8 million records were stolen from the site in May by a hacker,” informing them that the data was available for $300 and that one person had already purchased the dataset.
That same breach broker — a thing, I learned — also provided the publication with “a sample of 1,000 records,” allowing them to verify the voracity of the information available. And because hackers are good at what they do, every affected customer contacted by TechCrunch “confirmed their data as accurate.”
The stolen data, apparently, consists of “names, email addresses, scrambled password (believed to be hashed with the MD5 algorithm and salted), and… shoe size and trading currency,” the story said, and also included the user’s “device type, such as Android or iPhone, and the software version.”
No one at StockX responded directly to TechCrunch — who broke the story — but they later posted a “non-attributable statement” on their website “that confirmed [the] reporting.” That statement, however, didn’t address the reasons why StockX “failed to inform customers when it first learned of the data breach and why it misled customers prior to [TechCrunch’s] reporting.”
You can read more about it at TechCrunch.
