Just weeks after Capital One announced that its cloud-based servers had been breached, intruders made away with millions of StockX customer data.
Last Week, StockX became aware of suspicious activities that could potentially involve the platform. While the eCommerce site did not reveal the nature or extent of the threat to its users, it took some cautionary measures.
For one, it implemented a system-wide update. Then, the shoe selling-site sent an email to its customers, asking them to reset their passwords. Along with locking down its “cloud computing perimeter,“ StockX also performed a high-frequency credential rotation on all servers and devices.
But, it appears that the “suspicious activity” is more severe than the eCommerce site led its users to believe. According to a TechCrunch report, the warnings stemmed from a severe data breach.
StockX Loses 6.8 Million Customers’ Records to Hackers
The reports say that a hacker stole 6.8 million customer records from the shoe trading site back in May. These include the names, email addresses, (hashed) passwords, as well as trading currencies, shoe sizes, and device version profiles.
TC also verified these claims. The tech news site contacted people from a sample of 1,000 records the seller-provided, and they confirmed information only the users would know.
About 24 hours after the report, StockX issued a statement through Engadget to give credence to TechCrunch’s report.
The statement reads:
“Though our investigation remains ongoing, forensic evidence to date suggests that an unknown third-party was able to gain access to certain customer data, including customer name, email address, shipping address, username, hashed passwords, and purchase history. From our investigation to date, there is no evidence to suggest that customer financial or payment information has been impacted.”
So, why was the shoe trading site not upfront about the data breach?
In the statement, StockX explained that the investigation was still ongoing at the time, and the information was still incomplete.
“Though we had incomplete information, we felt a responsibility to act immediately to protect our customers while our investigation continued—and we took steps to do so,” says the company.
The breach is still quite significant – even though the intruders did not have access to users’ payment information. That’s because the hackers intend to monetize the data.
At the time of TechCrunch’s reporting, the hackers had put the data up for sale for $300, and someone had already made a purchase.
Comments (0)
Most Recent