StockX Hack Exposes Personal Information of Customers

StockX Hack

StockX announced that its sneakers and streetwear shopping platform had been hacked and that an unauthorized user could have access to client information over the weekend. This hack was the reason why the reset password was sent to all clients last week.

Last weekend, StockX started sending emails to all its clients that a reset of password was needed because of a security update. The receipt of password reset emails made clients suspicious, but Twitter StockX officials assured them that the emails were valid.


StockX indicated in a statement  that these resets were triggered by suspicious activity.

StockX confessed that their systems were hacked in a subsequent declaration sent on Saturday night.

The breach of StockX discloses customer information. 

StockX indicated that they had been alerted to suspect client information activities and started an inquiry. This inquiry resulted them to find that an assailant had access to his system and could access his customers ‘ private data.

This information includes the client name, email address, shipping address, username, hashed passwords and the history of the purchase.

“While our inquiry remains continuing, forensic evidence to date indicates a third party could have access to certain client information including client name, email address, delivery address, username, hazardous passwords and buy history.” StockX stated in their data security issue notice.”There is no proof since our inquiry to date that client economic or payment data was affected.”

In mitigating this violation StockX has indicated the following steps:

  1. a system-wide security update,
  2. a complete password reset of all customer passwords with an email alerting customers to the reset of their passwords,
  3. high frequency credentials on all servers and devices, and
  4. a lock-down of our perimeter for cloud computing.

We told that they had nothing else to share in reaction to further questions about this event, such as the number of victims impacted or how the assailant got access.

“If we have more information we can confirm, we will update our clients.”

Customer information allegedly being sold online

TechCrunch claims that client data is reportedly being sold online that the stolen client data is supposedly sold on underground hacking markets.

An unnamed information infringement vendor shared 1,000 StockX documents which confirmed that the data were for current StockX users.

The data sold included account information, hashed passwords, shoe sizes and currency trading.

“The stolen data contained the names, email addresses, scrap-in password (posses thought to have been hashed and salted with the MD5 Algorithm) and other profile information – such as size of the shoe and the currency of the trade. It also included the user-type of the device, such as Android or iPhone and the software version. A number of other inner flags have been discovered, such as whether the user was banned or whether European consumers accepted GDPR signal from the company.”

Disclosure might have been better treated.

Overall, the disclosure of this assault by StockX could have been improved.

Instead of vaguely worded e-mails which left clients confused, a safety notice should have been issued simultaneously.

By gradually acknowledging that a series of weekend statements have hacked, it only left a poor taste as it feels like StockX was attempting to conceal the event.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.