Is it the time of massive hacking again? News of Equifax’s settlement and its issues were still hot off the press when Capital One reported its own massive hacking incident. While the financial giant was quick to own up to the breach, another company seems to be sweeping evidence under the rug. Although fashion and footwear e-commerce site StockX did eventually admit to having a security incident, its coverup may have only helped put its own users at greater risk.
StockX users were surprised and worried that they received an email last Thursday informing them that their passwords have been reset. Some of them presumed it could be a phishing scam. For a while, StockX’s official stance was that it was due to system updates but didn’t give the slightest hint that the update was due to a data breach.
That information had to come to TechCrunch from a data breach seller, claiming that 6.8 million or more records were stolen. The seller sent 1,000 records as proof which the publication was able to confirm with users. The data sold for $300 only and included names, emails, shoe sizes.
More than the amount of information stolen, StockX’s response to the whole incident is more concerning. After officially claiming the password resets were for system updates, it then changed its tune to a security report. It was only a few hours ago that it finally published an official statement regarding the matter. It still didn’t say anything about stolen data, only that it exercised an overabundance of caution in resetting users’ passwords.
That, however, doesn’t explain why it didn’t disclose the incident immediately and only after it was already reported by media. While resetting passwords is admittedly an important first step, being honest with users about probable and especially actual data breaches helps retain confidence and trust in a platform. Especially one that handles customers’ products and money.