- StockX breach data uploaded onto HIBP, so go ahead and check if you’re included.
- Customers lost their names, hashed passwords, email addresses, but no payment data.
- It took the company more than two weeks to send notices of a breach to their customers.
A week ago, TechCrunch reported that they had got their hands to a massive data pack containing the information of 6.8 million users of StockX after paying $300 for it. StockX is an e-commerce platform based in Detroit, selling mainly sneakers, watches, and handbags. The company only admitted the breach after it became public by TC, and initially asked its customers to change passwords due to a supposed software update. This is the same path that CafePress took last week, and it’s one that leads to losing your customers trust.
CEO of StockX, Scott Cutler, has sent notices of a data breach to the customers on Thursday, apologizing for causing confusion and for any ambiguity in their initial communication, while he promised to update them when the internal investigation is concluded. As they clarified, they knew about the security incident since July 26 but found out that the payment card or financial data of their customers haven’t been compromised and thus didn’t disclose the event immediately. However, the names, email addresses, e-commerce platform username, purchase history, and the hashed passwords have all been leaked, and as TC reported are already on sale on the dark web.
Now, StockX is offering free fraud detection and identity theft protection services through “ID Experts” for the next 12 months for free. If you find that you have been compromised by this recent security incident, you have until November 8, 2019, to claim these services by calling (833) 300-6935 from the US, (971) 317-8411 from outside the US, or by visiting this webpage. If you’re unsure about whether you have been breached or not, you may head over to “Have I Been Pwned” and check with your email as the details have just been added onto the platform.
Remember, if you’re not using unique passwords, merely changing it on StockX will not be enough to prevent the dangers of stuffing attacks on other platforms/websites. If that is the case, change your passwords universally and start using a password manager that will help you generate new and strong passwords to use across your entire online presence. This way, you won’t be risking your online identity every time a security breach occurs. In the case of the StockX, the data was already on sale and very possibly under active exploitation way before the affected customers received the relevant notices of the breach, and this is just another example which showcases the risks that we are facing even when we don’t know it.
Have you found yourself in this new database? Are you planning to ask StockX to compensate you in any way? Let us know in the comments below, or join the discussion on our socials, on Facebook and Twitter.