StockX Reports That an Unknown Third-Party Gained Access to Customer Data

On August 3, 2019, StockX, “the world’s first stock market for things – a live ‘bid/ask’ marketplace,”posted that StockX was

. . . alerted to suspicious activity potentially involving customer data. Upon learning of the suspicious activity, [StockX] immediately launched a comprehensive forensic investigation and engaged third-party data incident and forensic experts to assist. Though [StockX’s] investigation remains ongoing, forensic evidence to date suggests that an unknown third-party was able to gain access to certain customer data, including customer name, email address, shipping address, username, hashed passwords, and purchase history. From [StockX’s] investigation to date, there is no evidence to suggest that customer financial or payment information has been impacted. [Emphasis added.]

StockX’s ”Notice of Data Breach” sent to its customers stated, among other things, the following:

What Happened?

On July 26, 2019, StockX was alerted to suspicious activity potentially involving customer data. [StockX] immediately launched a forensic investigation and engaged experienced third-party experts to assist. During this first week, while [StockX’s] forensic investigation into the suspicious activity was underway, [StockX] took proactive and precautionary measures to protect our customers.  As described in greater detail . . . below, [StockX] deployed a system-wide update, implemented a full password reset of all customer passwords for all StockX accounts, and on the morning of August 1, 2019 sent customers an email alerting them to the systems update and password reset.

As [StockX’s] investigation continued, forensic evidence revealed that an unknown third party had been able to gain unauthorized access to certain customer data from [StockX’s] cloud environment on or around May 14, 2019. [StockX] worked swiftly to issue an email update of the matter to [StockX’s] customers and are now making this notification to further apprise you of additional facts from our investigation.

As part of [StockX’s] efforts to catch the perpetrator, [StockX has] contacted law enforcement and [has] been working with them in their investigation of the incident. [The]  investigation into the nature, extent, and scope of the incident remains ongoing, and [StockX] will update you with additional information as necessary.

What Information Was Involved?

From [StockX’s] investigation to date, the information affected may include your name, email address, address, username, hashed password, and purchase history.

As indicated in [StockX’s] prior communications, there is no evidence to date to suggest that any of your financial or payment information has been affected. That is because StockX does not store full payment card or financial data of its customers on its network servers or platform. Instead, any StockX payment card data is processed, stored, and hosted by a third-party payment processor, and not StockX. Based on [StockX’s] investigation to date, [StockX has]  no evidence to suggest that [its] third-party payment processing partners or [its] third-party platform has been affected by this incident, nor [does StockX] have any evidence to suggest that any of the customer financial or payment information stored by that third-party has been affected. [Emphasis added.]

Customer Data of Millions Reportedly Exposed by the Data Hack reported [“StockX was hacked, exposing millions of customers’ data”] the following:

It wasn’t “system updates” as it claimed. StockX was mopping up after a data breach, TechCrunch can confirm.

The fashion and sneaker trading platform pushed out a password reset email to its users . . . citing “system updates,” but left users confused and scrambling for answers. StockX told users that the email was legitimate and not a phishing email as some had suspected, but did not say what caused the alleged system update or why there was no prior warning.

A spokesperson eventually told TechCrunch that the company was “alerted to suspicious activity” on its site but declined to comment further.

But that wasn’t the whole truth.

An unnamed data breached seller contacted TechCrunch claiming more than 6.8 million records were stolen from the site in May by a hacker. The seller declined to say how they obtained the data.

In a dark web listing, the seller put the data for sale for $300. One person at the time of writing already bought the data.

The seller provided TechCrunch a sample of 1,000 records. [TechCrunch] contacted customers and provided them information only they would know from their stolen records, such as their real name and username combination and shoe size. Every person who responded confirmed their data as accurate.

The stolen data contained names, email addresses, scrambled password (believed to be hashed with the MD5 algorithm and salted), and other profile information — such as shoe size and trading currency. The data also included the user’s device type, such as Android or iPhone, and the software version. Several other internal flags were found in each record, such as whether or not the user was banned or if European users had accepted the company’s GDPR message. [Emphasis added.]

Have You Been Impacted by A Data Breach?

If so, please either contact Kehoe Law Firm, P.C. Partner Michael Yarnoff, Esq., (215) 792-6676, Ext. 804, [email protected], complete the form on the right or send an e-mail to [email protected] for a free, no-obligation case evaluation of your facts to determine whether your privacy rights have been violated and whether there is a basis for a data privacy class action.

Examples of the type of relief sought by data privacy class actions, include, but are not limited to, reimbursement of identity theft losses and of out-of-pocket costs paid by data breach victims for protective measures such as credit monitoring services, credit reports, and credit freezes; compensation for time spent responding to the breach; imposition of credit monitoring services and identity theft insurance, paid for by the defendant company; and improvements to the defendant company’s data security systems.

Data privacy class actions are brought on a contingent-fee basis; thus, plaintiffs and the class members do not pay out-of-pocket attorney’s fees or litigation costs.  Subject to court approval, attorney’s fees and litigation costs are derived from the recovery obtained for the class.

Kehoe Law Firm, P.C.