Last week StockX, a website in which users buy and sell sneakers and fashion accessories according to a stock market-like structure, issued a bewildering statement indicating that it had been forced to reset customers’ passwords due to unspecified “system updates.”
“We recently completed system updates on the StockX platform,” a user notification announced. “To access your account, reset your password by clicking below.”
StockX was lying. Edging closer to the truth, a company representative later admitted that “StockX was recently alerted to suspicious activity potentially involving our platform. Out of an abundance of caution, we implemented a security update and proactively asked our community to update their account passwords.”
But as TechCrunch reports, that was a half-truth at best:
“An unnamed data breached seller contacted TechCrunch claiming more than 6.8 million records were stolen from the site in May by a hacker. The seller declined to say how they obtained the data.
“In a dark web listing, the seller put the data for sale for $300. One person at the time of writing already bought the data.”
As proof, this anonymous person gave TechCrunch 1,000 of the stolen customer records. After directly contacting the customers, the website was able to confirm that the records were genuine.
“The stolen data contained names, email addresses, scrambled password (believed to be hashed with the MD5 algorithm and salted), and other profile information — such as shoe size and trading currency,” TechCrunch reports. “The data also included the user’s device type, such as Android or iPhone, and the software version.”
Before publishing its story, TechCrunch reached out to StockX personnel, who declined to comment. “A non-attributable statement published late on Saturday confirmed our reporting, but the company did not answer our specific questions, including why it failed to inform customers when it first learned of the data breach and why it misled customers prior to our reporting.”
Founded in 2015, StockX is now valued at more than $1 billion. If it wishes to stay there, it should perhaps consider apprising customers of security breaches that put them at risk. Opacity and lack of accountability appear to be something of a principle among tech companies. How much longer will people put up with it?