StockX is offering free fraud detection and identity-theft protection following a hack that put the data of millions of its users in jeopardy.
Scott Cutler, who assumed the role of chief executive officer from cofounder Josh Luber in June, issued a statement on Thursday recapping the ordeal, informing StockX users of the situation and offering the new protection.
“I wanted to reach out personally to follow up on the e-mail you received from us on Aug. 3 and to provide you with additional information about the data security incident we recently discovered,” said Cutler in the statement.
The Aug. 3 e-mail informed StockX users of a “data security issue” that the company was informed of. The first e-mail the company sent on Aug. 1 had the subject “Please reset your StockX password” and told users to reset their password to access their account following “system updates on the StockX platform,” but there was no mention of a data breach.
Cutler said on Thursday the Detroit-based company was “alerted to suspicious activity potentially involving our customer data” on July 26. Reports from media outlets uncovered that the company fell victim to a hack that obtained customer data, including “customer name, e-mail address, address, username, hashed passwords and purchase history.”
StockX said its investigation is ongoing and “there is no evidence to suggest that customer financial or payment information has been impacted.”
Many companies, brands and retailers have fallen victim to hacks over the years, including Target Corp., Adidas AG, Macy’s Inc., Saks Fifth Avenue, Under Armour Inc., Lord & Taylor and Poshmark, to name a few. This is the first major blow to the sneaker resale marketplace since the company launched in 2016.
“First, let me say how much we regret that you are dealing with this issue at all. We take the trust you place in us very seriously, and this is not the kind of experience we want for our community,” said Cutler.
“Upon first learning of the suspicious activity, we immediately launched an internal forensic investigation….On the same day, we engaged third-party data incident and forensic experts to assist with the investigation. While we were conducting our forensic investigation into the suspicious activity, we took proactive steps to implement infrastructure changes to mitigate and address any potential effects of the suspicious activity, including deploying a system-wide upgrade and full password reset. We have also contacted law enforcement and have been working with them in their efforts to catch the perpetrator. Once our investigation revealed evidence to suggest customer data may have been accessed by an unknown third party, we sent customers an e-mail…to make them aware of the incident, and thereafter sent a more detailed notification to our customers with further information regarding the incident. As our investigation continues, we will continue to communicate with our customers about the incident as necessary.”
In response to the hack, StockX implemented infrastructure changes, including “a system-wide update to upgrade the encryption of customer passwords; a full password reset of all customer passwords with an e-mail to customers alerting them about resetting their passwords; high-frequency credential rotation on all servers and devices, and a lockdown of our cloud computing perimeter.”
StockX is also offering 12 months of free fraud detection and identity theft protection through MyIDCare service by ID Experts. The service also include CyberScan monitoring, fully managed id theft recovery services and a $1,000,000 insurance reimbursement policy. The company also encourages its users to monitor their credit and debit card statements and credit reports.
StockX in June closed a $110 million Series C funding round that increased its valuation to $1 billion.
Read more here: