StockX, the “stock market of things,” has had a massive data breach.
The data included names, email addresses, hashed (or scrambled) passwords, shoe sizes, trading currencies, if they had accepted GDPR compliance, and device version profiles.
TechCrunch reports that the Detroit-based company was hacked back in May, but StockX only disclosed the breach after journalists followed up on an email sent by StockX that many users thought was suspicious.
But did the company did not tell the whole truth in the first email to its users asking them to change their passwords.
StockX originally said it was “system updates” that required people to change their password. They did not mention the breach, nor an investigation into suspicious activity.
TechCrunch then did follow-up investigative work on a sample of 1,000 records they obtained from the black market and were able to match the records to individuals with unique information.
Engadget has a statement from StockX confirming the incident. In it, they outlined actions taken and said the following:
We want you to know that we took these steps proactively and immediately, because we had just begun our investigation and did not yet know the nature, extent, or scope of suspicious activity to which we had been alerted. Though we had incomplete information, we felt a responsibility to act immediately to protect our customers while our investigation continued—and we took steps to do so.
StockX Statement to Engadget
StockX was founded by Josh Luber, Dan Gilbert and others in 2015. It helps maintain authenticity in sneaker and other consumer goods transactions by authenticating all of the stock in question, then putting it out for auction on their online marketplace.
It recently became Michigan’s second “unicorn” company, meaning that it’s worth more than $1 billion dollars.
It has high-profile investors like Eminem, Steve Aoki, Mark Wahlberg and Karlie Kloss. They’ve recently been on a hiring spree in Detroit.