StockX, a Detroit based startup that runs a popular platform for buying and selling sneakers and other apparel, suffered a major hacking attack in May, TechCrunch reports. The law enforcement agencies are notified of the incident.
On August 08, StockX sent a letter to their customers “Notice of Data Breach”, in which they confirmed that a data security incident took place in May. The letter was signed by CEO Scott Cutler, who also used the opportunity to express his regrets and apologies.
Interestingly, the letter was sent to customers five days after TechCrunch broke the news concerning the hacking incident, exclusively reporting that the attack resulted in around 6.8 million worth of stolen records from customers, which were then sold for $300 in a dark web listing in the meantime.
TechCrunch reporter got access to some of the data, which was then verified with customers.
“We contacted customers and provided them information only they would know from their stolen records, such as their real name and username combination and shoe size. Every person who responded confirmed their data as accurate,” the TechCrunch story notes.
In spite of the fact that an email was initially sent to StockX customers two days before the TechCrunch story was published, the e-mail only cited “system updates” as justification for the requested password change. Some of StockX users thought the email was not legitimate and saw it as a phishing threat.
Thus, the startup essentially tried to hide the fact that it had suffered a major cyber attack. Only after TechCrunch story was out, StockX let their users know the background of the data security incident.
“When we were first alerted to suspicious activity, we focused on identifying and taking proactive measures to protect the StockX community, which included a system-wide update and password reset. We also engaged third-party experts to investigate the suspicious activity to determine what happened and how serious it was,” Cutler said.
“As our investigation continued, forensic evidence revealed that an unknown third party had been able to gain unauthorized access to certain customer data from our cloud environment on or around May 14, 2019,” added Cutler.
As confirmed in the letter sent to customers, the affected data includes names, email addresses, city/street address, the username, hashed password, and purchase history. To this day, StockX insists that no financial or payment information has been affected. On the other hand, TechCrunch hit back at Stock X for “failing to inform customers when it first learned of the data breach and why it misled customers prior to our reporting”.
In June, the New York Times reported that StockX had successfully closed a funding round worth $110 million from investment companies such as DST Global, General Atlantic, and GGV Capital. The Detroit-based startup is valued at over $1 billion.