An unauthorized user was able to access customer data, as part of the incident response, StockX forced a password reset for its customers.
Last week the company sent out emails to instruct users to reset their passwords due to a mandatory security update.
At the end of last week,
According to TechCrunch this was a partial truth, because an unnamed
“A spokesperson eventually told TechCrunch that the company was “alerted to suspicious activity” on its site but declined to comment further. But that wasn’t the whole truth.” reported TechCrunch.
“An unnamed data breached seller contacted TechCrunch claiming more than 6.8 million records were stolen from the site in May by a hacker. The seller declined to say how they obtained the data. In a dark web listing, the seller put the data for sale for $300. One person at the time of writing already bought the data.”
The seller was offering the data for sale for $300, he also provided TechCrunch a sample of 1,000 records. TechCrunch We contacted customers and verified the authenticity of the data.
Exposed data included names, email addresses, hashed password (salted MD5), and other profile information such as shoe size and trading currency. The compromised data also included device information and other info used for an internal purpose.
“We were alerted to suspicious activity potentially involving customer data. Upon learning of the suspicious activity, we immediately launched a comprehensive forensic investigation and engaged third-party data incident and forensic experts to assist.” reads the data breach notification. “Though our investigation remains ongoing, forensic evidence to date suggests that an unknown third-party was able to gain access to certain customer data, including customer name, email address, shipping address, username, hashed passwords, and purchase history. From our investigation to date, there is no evidence to suggest that customer financial or payment information has been impacted.”
The company announced to have implemented some changes to its infrastructure to mitigate the suspicious activity. These infrastructure changes included:
At the time the company did not disclose the number of affected victims or details about the hack.
“As we investigate,
|[adrotate banner=”9″]||[adrotate banner=”12″]|
(SecurityAffairs – StockX, data breach)