It wasn’t “system updates” as it claimed. StockX was mopping up after a data breach, TechCrunch can confirm.
The fashion and sneaker trading platform pushed out a password reset email to its users on Thursday citing “system updates,” but left users confused and scrambling for answers. StockX told users that the email was legitimate and not a phishing email as some had suspected, but did not say what caused the alleged system update or why there was no prior warning.
A spokesperson eventually told TechCrunch that the company was “alerted to suspicious activity” on its site but declined to comment further.
But that wasn’t the whole truth.
An unnamed data breached seller contacted TechCrunch claiming more than 6.8 million records were stolen from the site in May by a hacker. The seller declined to say how they obtained the data, but promised to soon put the stolen records for sale on the dark web.
The seller provided TechCrunch a sample of 1,000 records. We contacted customers and provided them information only they would know from their stolen records, such as their real name and username combination and shoe size. Every person who responded confirmed their data as accurate.
The stolen data contained names, email addresses, hashed passwords, and other profile information — such as shoe size and trading currency. The data also included the user’s device type, such as Android or iPhone, and the software version. Several other internal flags were found in each record, such as whether or not the user was banned or if European users had accepted the company’s GDPR message.
Under those GDPR rules, a company can be fined up to four percent of its global annual revenue for violations.
When reached prior to publication, neither spokesperson Katy Cockrel nor StockX founder Josh Luber responded to a request for comment.
StockX was last month valued at over $1 billion after a $110 million fundraise.