After raising a fund of $110 million in June, StockX, a sneaker trading platform, appears to be one step closer to become listing. However, this platform has been hacked last week.
According to TechCrunch, a team of hackers broke into the StockX user database of the sneaker trading platform, resulting in the disclosure of more than 6.8 million user profiles, including user names, login passwords, real names and recipient addresses, which were quickly sold on the dark web for as little as $300.
The fashion and sneaker trading platform launched a password reset email to users on Thursday, citing “system updates,” but the users got confused and scrambled to find answers. StockX told the user that the email is legitimate, not a phishing email, but did not explain the cause of the so-called system update or the reason for no prior warning. A spokesperson eventually told TechCrunch that the company “warned suspicious activity” on its website but refused to comment further.
An unnamed data breach seller contacted TechCrunch, claiming that the hacker stole more than 6.8 million records from the site in May. The seller refused to disclose how they obtained the data. In a dark network list, the seller sold the data for $300. At the time of this writing, someone has already purchased the data.
The seller provided a sample of 1,000 records to TechCrunch. After that, they contacted the customer and provided them with information they could only learn from their stolen records, such as their real name and username combination and shoe size. Everyone who responded confirmed that their data was accurate.
Stolen data includes name, email address, password (considered to be hashed using the MD5 algorithm), and other profile information – such as shoe size and transaction currency. The data also includes the user’s device type, such as Android or iPhone, and the software version. Several other internal flags were found in each record, such as whether the user was banned, or whether the European user accepted the company’s GDPR message. Under these GDPR rules, a company may be fined up to 4% of its global annual income for its violations.
Prior to the release, spokesperson Katy Cockrel and StockX founder Josh Luber did not respond to requests for comment. The voicemail left in the speaker’s cell was not returned. An unacceptable statement issued on Saturday night confirmed the reports. Both Rubel and CEO Scott Cutler did not comment on the violation. Jake Williams, founder of Rendition Infosec, said the company “deprived their users of the opportunity to assess their exposure” and did not tell customers when the vulnerability occurred.
Published by & last updated on August 7, 2019 1:39 am