Public Relations; it’s a normal procedure put in place to not only sell but to save companies during unexpected disasters but in new reports, it appears that StockX mishandled a global technology pandemic. Now leading to millions of disgruntled customers and a mass security issue, the reselling giant is in hot water.
On Thursday, StockX sent out a mass password reset email to its users stating that it was due to a “system update”. Without much more information users were left with many questions, that is until TechCrunch’s Zach Whittaker was contacted by an anonymous seller claiming that the information of more than 6.8 million users was stolen in a data hack dating back to May. Following the information, a spokesperson eventually told the publication that the company was “alerted to suspicious activity” on its site but declined to comment further.
And here's the @StockX data being sold on the dark web. According to the listing, it's worth about $300 and it's already been sold to one person. (We're not linking to the listing.) pic.twitter.com/6YpEJATEQR
— Zack Whittaker (@zackwhittaker) August 3, 2019
Determined to investigate further – as savvy journos do – the online outlet was provided with a sample of 1,000 records and contacted the users to confirm the information – every person who responded agreed the obtained data was accurate.
According to the report, the stolen data contained names, email addresses, scrambled passwords and further information including shoe size. The dark web is already selling this information for $300. While StockX are adamant that no financial information has been released, some users have taken to Twitter claiming that fraudulent purchase have already been made in their name.
Saying that "From our investigation to date, there is no evidence to suggest that customer financial or payment information has been impacted." is completely false because i was impacted. Someone bought these with my credit card and my account had to be closed. pic.twitter.com/Y3EeVbEZ8g
— julio (@JulyCreps) August 4, 2019
The company which was valued at $1 billion USD last week released a statement on its site, citing the planned updates and changes to ensure stronger security.
“1. a system-wide security update; 2. a full password reset of all customer passwords with an email to customers alerting them about resetting their passwords; high-frequency credential rotation on all servers and devices; and 3. a lockdown of our cloud computing perimeter.”
And though the company is now taking measures within the public eye, is it a case of too little, too late for its credibility? Case in point, don’t try and hide a serious issue and have it uncovered by a journalist – it looks sketchy.