Cyber Incident Victim: StockX
Date:
May 2019
Location:
United States of America
Summary
A cybersecurity breach impacted StockX, compromising over 6.8 million customer records stolen by a hacker and later sold on the dark web. The exposed data included names, email addresses, hashed and salted passwords, device information, and profile details such as shoe size and trading currency. Internal flags indicating user bans and GDPR compliance status were also leaked. The company initially mischaracterized the incident as "system updates" when forcing password resets, only confirming the breach after external reporting. Security experts criticized the delayed disclosure for depriving users of timely risk assessment. The incident carried potential regulatory repercussions under GDPR, which permits fines based on global revenue.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In May 2019, StockX suffered a data breach resulting in the theft of over 6.8 million customer records. The breach remained undisclosed until August 2019, when the company initiated a password reset for users under the guise of "system updates." This explanation caused confusion among customers, some of whom suspected phishing attempts. StockX confirmed the legitimacy of the reset email but provided no details about the underlying cause or lack of prior notification. TechCrunch later verified through communication with a dark web data seller that the incident involved stolen records being offered for $300, with at least one confirmed purchase. The compromised data included personally identifiable information such as names, email addresses, and hashed passwords using MD5 with salting, alongside commercial preferences like shoe size and trading currency. Additional technical details exposed device types, operating system versions, and internal account status indicators including ban status and GDPR consent acknowledgments for European users.
StockX leadership, including founder Josh Luber and CEO Scott Cutler, did not publicly address the breach despite multiple contact attempts by journalists prior to publication. The company issued a non-attributable statement confirming the incident only after TechCrunch's investigation, while declining to explain the three-month disclosure delay or initial misleading communication about system updates. Cybersecurity expert Jake Williams criticized StockX for depriving users of timely risk assessment opportunities. The breach carried significant regulatory implications under GDPR, which permits fines of up to 4% of global annual revenue for violations. The incident occurred against the backdrop of StockX's recent $110 million funding round, which had valued the company at over $1 billion just one month prior to public revelation of the breach. No technical details regarding attack vectors, containment measures, or forensic findings were disclosed by the company or evident in available reporting.