StockX hacked, customers’ data offered for sale on the dark web

StockX, the live marketplace for buying and selling limited edition sneakers, watches, handbags, and streetwear, announced a data breach.

StockX is a live marketplace for buying and selling limited edition sneakers, watches, handbags, and streetwear, the company announced that the sneaker and streetwear buying platform had been hacked.

An unauthorized user was able to access customer data, as part of the incident response, StockX forced a password reset for its customers.

Last week the company sent out emails to instruct users to reset their passwords due to a mandatory security update.

At the end of last week, StockX began sending out emails to all of their customers stating that a password reset was required due to a security update.

StockX pwd reset

Initially StockX stated that they were alerted to suspicious activity regarding customer data. The company immediately launched an investigation that allowed it to discover the security breach.

According to TechCrunch this was a partial truth, because an unnamed darkweb seller contacted TechCrunch claiming more than 6.8 million records belonging to the company. According to the seller the data were stolen by a hacker back in May.

“A spokesperson eventually told TechCrunch that the company was “alerted to suspicious activity” on its site but declined to comment further. But that wasn’t the whole truth.” reported TechCrunch.

“An unnamed data breached seller contacted TechCrunch claiming more than 6.8 million records were stolen from the site in May by a hacker. The seller declined to say how they obtained the data. In a dark web listing, the seller put the data for sale for $ 300. One person at the time of writing already bought the data.”

The seller was offering the data for sale for $ 300, he also provided TechCrunch a sample of 1,000 records. TechCrunch We contacted customers and verified the authenticity of the data.

Exposed data included names, email addresses, hashed password (salted MD5), and other profile information such as shoe size and trading currency. The compromised data also included device information and other info used for an internal purpose. the good news is that no financial data was exposed.

“We were alerted to suspicious activity potentially involving customer data. Upon learning of the suspicious activity, we immediately launched a comprehensive forensic investigation and engaged third-party data incident and forensic experts to assist.” reads the data breach notification. “Though our investigation remains ongoing, forensic evidence to date suggests that an unknown third-party was able to gain access to certain customer data, including customer name, email address, shipping address, username, hashed passwords, and purchase history. From our investigation to date, there is no evidence to suggest that customer financial or payment information has been impacted.”

The company announced to have implemented some changes to its infrastructure to mitigate the suspicious activity. These infrastructure changes included:

  1. a system-wide security update;
  2. a full password reset of all customer passwords with an email to customers alerting them about resetting their passwords; 
  3. high-frequency credential rotation on all servers and devices; and
  4. a lockdown of our cloud computing perimeter

At the time the company did not disclose the number of affected victims or details about the hack.

“As we investigate, StockX will continue to take additional measures, as needed, to protect the privacy of our customers. In the meantime, out of an abundance of caution, we recommend that if you use your StockX password for other accounts, you change those passwords as well.” concludes the company.

The post StockX hacked, customers’ data offered for sale on the dark web appeared first on Security Affairs.