DETROIT (WXYZ) — Detroit-based company StockX is configming they were hacked in May, exposing millions of customers' data.
The computer intrustion was first reported by TechCrunch. The website said that the sneaker trading platform sent out a password-reset email to users on Thursday saying they had "system updates," and told them the email was legitimate and not a phishing scam.
We were alerted to suspicious activity potentially involving customer data. Upon learning of the suspicious activity, we immediately launched a comprehensive forensic investigation and engaged third-party data incident and forensic experts to assist. Though our investigation remains ongoing, forensic evidence to date suggests that an unknown third-party was able to gain access to certain customer data, including customer name, email address, shipping address, username, hashed passwords, and purchase history. From our investigation to date, there is no evidence to suggest that customer financial or payment information has been impacted.
TechCrunch reports that a data breached seller contacted the website saying more than 6.8 million records were stolen by a hacker, which was put on sale for $300 on the dark web. TechCrunch said the seller gave them 1,000 records, and the website contact customers and gave them information only they would know from stolen records, like their real name, username, combination and shoe size. The website reports that every person who responded said the data was accurate.
In a statement posted early Monday morning on the website, StockX said, "We were alerted to suspicious activity potentially involving customer data. Upon learning of the suspicious activity, we immediately launched a comprehensive forensic investigation and engaged third-party data incident and forensic experts to assist. "
The data that was impacted includes name, email, shipping address, username, passwords and purchase history, but said financial or payment information wasn't stolen.
StockX said that while instigating, they issued a system-wide security update, a full password reset, high-frequency credential rotation on all servers and a lockdown of the cloud computing perimeter.
Earlier this month, StockX became Detroit's newest $1 billion company. They're based in downtown Detroit and has built authentication centers in Detroit, New Jersey, Arizona and London.
They’re preparing to grow into the Amsterdam market, a sign that the Detroit-based business has a global reach with sellers and buyers located throughout Europe and China.
How does it all work? StockX lets bidding play out, once a bid is accepted the seller ships the item to one of the authentication centers, which ensures the authenticity of the shoes before sending them to the buyer. StockX is the middle man that makes money by charging the sellers a transaction fee.