StockX data breach reportedly exposes millions of customers' data

StockX, a Detroit-based online marketplace for sneakers, experienced a data breach — and the breach may have exposed its customers’ personal information.

The company said in a message on its website on Monday that it launched a forensic investigation following the incident.

“Though our investigation remains ongoing, forensic evidence to date suggests that an unknown third party was able to gain access to certain customer data, including customer name, email address, shipping address, username, hashed passwords, and purchase history," the company said in the message.

TechCrunch reported that on Thursday, StockX asked customers to reset their password, but cited the reason for the password update as "system updates" and did not initially provide further information. TechCrunch further reported that an unnamed data breach seller contacted TechCrunch and said the breach happened back in May and affects 6.8 million users. The seller provided TechCrunch with a sample of customers data, and when TechCrunch contacted some customers to confirm whether the information was correct, the customers said it was. The seller apparently put the data on sale for $300 on a dark web listing, and at the time of TechCrunch's reporting, one person had bought the data.

"The stolen data contained names, email addresses, scrambled password (believed to be hashed with the MD5 algorithm and salted), and other profile information — such as shoe size and trading currency," TechCrunch reported. "The data also included the user’s device type, such as Android or iPhone, and the software version."

Though the breach reportedly occurred in May, according to TechCrunch, it is unclear when StockX learned about it. However, StockX said "upon learning of the suspicious activity, we immediately launched a comprehensive forensic investigation and engaged third-party data incident and forensic experts to assist." The company said it launched a system-wide security update and reset passwords for all customers, along with other steps to strengthen security.

“In the meantime, out of an abundance of caution, we recommend that if you use your StockX password for other accounts, you change those passwords as well,” the company said in its statement.

StockX was founded in 2015 by Dan Gilbert, Greg Schwartz, Josh Luber, and Chris Kaufman. It authenticates products before reselling them, and deals primarily in the resale of sneakers — though it also sells streetwear, handbags, and watches.

Stay on top of Detroit news and views. Sign up for our weekly issue newsletter delivered each Wednesday.