Detroit-based sneaker trading website StockX waited days to inform users of a massive hack that may have exposed the records of at least 6.8 million customers — and did so only after the breach was brought to light by a media outlet.
StockX on Saturday posted a message on its site saying that an "unknown third-party was able to gain access to certain customer data, including customer name, email address, shipping address, username, hashed passwords, and purchase history." But it likely knew about the breach as early as Thursday, based on an email to customers.
A start up described as the "stock market of things," StockX has this year received significant national attention for its more than $1 billion valuation. It was founded by Dan Gilbert and CEO Josh Luber.
First word of the breach came after a third-party data seller told TechCrunch it had obtained the customer records. As of this weekend, the data was up for sale for $300 and had already been purchased by at least one person.
TechCrunch reports StockX initially misled users about what was going on:
It wasn’t “system updates” as it claimed. StockX was mopping up after a data breach, TechCrunch can confirm.
The fashion and sneaker trading platform pushed out a password reset email to its users on Thursday citing “system updates,” but left users confused and scrambling for answers. StockX told users that the email was legitimate and not a phishing email as some had suspected, but did not say what caused the alleged system update or why there was no prior warning.
A spokesperson eventually told TechCrunch that the company was “alerted to suspicious activity” on its site but declined to comment further.
The records were obtained in May. It's unclear when exactly StockX first learned of the breach. A notice on its website says the "data security issue" was discovered in "recent days." It does not say how many people were impacted. The unnamed data breached seller told TechCrunch it was at least 6.8 million.
StockX did not immediately return an email for comment.
The company says it has not found evidence that customers' financial or payment information was impacted.
According to TechCrunch, it could be penalized for the breach.
Several other internal flags were found in each record, such as whether or not the user was banned or if European users had accepted the company’s GDPR message.
Under those GDPR rules, a company can be fined up to four percent of its global annual revenue for violations.