The sneaker trading service StockX’s claim that recent password reset notices were just due to a “system update” turns out to be false.
Two days ago, thousands of users received password reset letters from the company. StockX claimed that it was a legitimate letter and not a phishing attempt. Despite many users reporting that it was a very suspicious email, the company doubled down on the message that it was a planned event that for some reason was not announced.
The company kept telling news outlets that they was conducting system updates and did not notice anything suspicious happening.
However, an anonymous data breach seller contacted TechCrunch with information that over 6.8 million records were stolen from StockX in May by a hacker. The sample of a thousand records turned out to be accurate.
The stolen data contained personal information including names, usernames, passwords, shoe sizes, and other types of information including more sensitive data. There was no doubt that hackers managed to successfully breach the defenses established by StockX and steal data of millions of users.
The scandal continues to develop as spokesperson of the company Katy Cockrel sticks to a very unreliable defense mechanism — staying silent and not responding to requests for comment. StockX founder Josh Luber also decided to abstain from any comments, according to TechCrunch.
The company is in significant danger of paying a huge fine (up to 4% of annual revenue) as well as other damages if it's revealed that it failed to inform customers of the breach of their data. This is according to GDPR law.
It is hard to understand why StockX did not inform its users about the data breach and apologize for it.
Now, the scandal looks much worse and could leave a huge stain on the public image of the company.