Over the weekend, StockX announced that their sneaker and streetwear buying platform had been hacked and an unauthorized user was able to gain access to customer data. This hack was what led to the password reset emails being sent out to all customers last week.

At the end of last week, StockX began sending out emails to all of their customers stating that a password reset was required due to a security update. Receiving password reset emails out of the blue caused customers to become suspicious, but StockX representatives on Twitter assured them that the emails were legitimate.

In a statement sent BleepingComputer, StockX stated that these password resets were caused by suspicious activity that they detected.

In a later statement sent to BleepingComputer on Saturday night, StockX admitted that their systems were hacked.

StockX breach exposes customer information

StockX stated that they were alerted to suspicious activity regarding customer data and launched an investigation. This investigation led them to discover that an attacker gained access to their system and was able to access the personal information of their customers.

This information consists of customer name, email address, shipping address, username, hashed passwords, and purchase history.

“Though our investigation remains ongoing, forensic evidence to date suggests that an unknown third-party was able to gain access to certain customer data, including customer name, email address, shipping address, username, hashed passwords, and purchase history,” StockX stated in their data security issue notice. “From our investigation to date, there is no evidence to suggest that customer financial or payment information has been impacted. “

As part of their mitigation of this breach StockX stated they performed the following steps:

In response to further queries regarding this incident, such as the amount of affected victims or how the attacker gained access, BleepingComputer was told that they have nothing else to share at this time. 

“We will update our customers when we have more details we can confirm.”

Customer information allegedly being sold online

TechCrunch reports that the customer information stolen during this hack is allegedly being sold on underground hacking markets.

An unnamed data breach seller shared 1,000 samples of the StockX records being sold online with TechCrunch, who confirmed that the data was for actual StockX customers.

The data being sold included account information, hashed passwords, shoe sizes, and trading currency.

“The stolen data contained names, email addresses, scrambled password (believed to be hashed with the MD5 algorithm and salted), and other profile information — such as shoe size and trading currency. The data also included the user’s device type, such as Android or iPhone, and the software version. Several other internal flags were found in each record, such as whether or not the user was banned or if European users had accepted the company’s GDPR message.”

Disclosure could have been handled better

Overall, StockX’s disclosure of this attack could have been handled better.

Instead of sending out vaguely worded password reset emails that only left customers confused, a security notice should have been posted at the same time.

By gradually admitting that they were hacked through a series of weekend statements, it only left a bad taste as it felt like StockX was trying to hide the incident.