[BreachExchange] StockX was hacked, exposing millions of customers’ data

Destry Winant destry at riskbasedsecurity.com
Mon Aug 5 02:17:24 EDT 2019


It wasn’t “system updates” as it claimed. StockX was mopping up after
a data breach, TechCrunch can confirm.

The fashion and sneaker trading platform pushed out a password reset
email to its users on Thursday citing “system updates,” but left users
confused and scrambling for answers. StockX told users that the email
was legitimate and not a phishing email as some had suspected, but did
not say what caused the alleged system update or why there was no
prior warning.

A spokesperson eventually told TechCrunch that the company was
“alerted to suspicious activity” on its site but declined to comment

But that wasn’t the whole truth.

An unnamed data breached seller contacted TechCrunch claiming more
than 6.8 million records were stolen from the site in May by a hacker.
The seller declined to say how they obtained the data.

In a dark web listing, the seller put the data for sale for $300. One
person at the time of writing already bought the data.

The seller provided TechCrunch a sample of 1,000 records. We contacted
customers and provided them information only they would know from
their stolen records, such as their real name and username combination
and shoe size. Every person who responded confirmed their data as

The stolen data contained names, email addresses, scrambled password
(believed to be hashed with the MD5 algorithm and salted), and other
profile information — such as shoe size and trading currency. The data
also included the user’s device type, such as Android or iPhone, and
the software version. Several other internal flags were found in each
record, such as whether or not the user was banned or if European
users had accepted the company’s GDPR message.

Under those GDPR rules, a company can be fined up to four percent of
its global annual revenue for violations.

When reached prior to publication, neither spokesperson Katy Cockrel
nor StockX founder Josh Luber responded to a request for comment. A
voicemail left on the spokesperson’s cell was not returned. A
non-attributable statement published late on Saturday confirmed our
reporting, but the company did not answer our specific questions,
including why it failed to inform customers when it first learned of
the data breach and why it misled customers prior to our reporting.

Neither Luber nor chief executive Scott Cutler have commented on the breach.

Jake Williams, founder of Rendition Infosec, said the company “robbed
their users of the chance to evaluate their exposure” by not informing
customers of the breach when it happened.

StockX was last month valued at over $1 billion after a $110 million fundraise.

More information about the BreachExchange mailing list