StockX, an online marketplace for buying and selling limited edition and high demand sneakers, was reportedly hacked yesterday, with more than 6.8 million user records stolen according to TechCrunch.
Instead of informing its customers, the company told them that this week’s password reset was for “system updates.” On Thursday, this fashion and sneaker trading platform pushed out a password reset email to its users citing “system updates,” but didn’t mention what caused the alleged system update or why there was no prior warning.
In fact, it wasn’t “system updates” as it claimed. StockX was mopping up after a data breach, TechCrunch can confirm.
TechCrunch’s Zach Whittaker reports that an unnamed seller contacted TechCrunch, claiming that the information of more than 6.8 million users was stolen from StockX in a data breach back in May. The seller declined to say how they obtained the data. In a dark web listing, the seller put the data for sale for $300. One person at the time of writing already bought the data.
TechCrunch verified the claims using a sample of 1,000 records the seller provided to contact users and confirm information only they would know. Every person contacted confirmed their data as accurate. The next day, StockX provided a statement to Engadget confirming a breach occurred and detailing the stolen data. The stolen data contained names, email addresses, scrambled password (believed to be hashed with the MD5 algorithm and salted), and other profile information — such as shoe size and trading currency. The data also included the user’s device type, such as Android or iPhone, and the software version.