INSUBCONTINENT EXCLUSIVE:
StockX, a popular site for buying and selling sneakers and other apparel, has admitted it reset customer passwords after it was “alerted
to suspicious activity” on its site, despite telling users it was a result of “system updates.”“We recently completed system updates
on the StockX platform,” said the email to customers sent to TechCrunch on Thursday
The email provided a link to a password reset page but said nothing more.The company was only last month valued at over $1 billion after a
$110 million fundraise.Companies reset passwords all the time for various reasons
Some security teams obtain lists of previously breached passwords that make their way online, scramble them in the same format that the
company stores passwords, and find matches
By triggering the reset, it prevents passwords stolen from other sites from being used against one of a company’s own customers
In less than desirable circumstances, passwords are reset following a data breach.But the company admitted it was not “system updates”
as it had told its customers.“StockX was recently alerted to suspicious activity potentially involving our platform,” said StockX
spokesperson Katy Cockrel
“Out of an abundance of caution, we implemented a security update and proactively asked our community to update their account
passwords.”“We are continuing to investigate,” said the spokesperson.The password reset email sent by StockX on Thursday (Image:
supplied)We asked several follow-up questions — including who alerted StockX to the suspicious activity, if any customer data was
compromised and why it misrepresented the reason for the password reset — but the spokesperson declined to comment further.Throughout the
day customers were tweeting screenshots of the email, worried that their accounts had been compromised
Others questioned whether the email was genuine or if it was part of a phishing attack.“Did they get hacked, find out somehow, and then to
cover it up send out that email and ask for a password change?,” one of the affected customers told TechCrunch.Customers were given no
prior warning of the password reset.StockX founder Josh Luber kept with the company’s line, telling a customer in a tweet that the
password reset was “legit” but did not respond to users asking why.StockX tweeted back to several customers with a boilerplate response:
“The password reset email you received is legitimate and came from our team,” and to contact the support email with any questions
We did just that — from our TechCrunch email address — and heard nothing back hours later.Security experts expressed doubt that a
company would reset passwords over a “systems update” as StockX had claimed.Security researcher John Wethington said it is “rare” to
see security overhauls that require password resets
“You wouldn’t just send out a random email about it,” he said
Jake Williams, founder of Rendition Infosec, said it was “bad communication” in any case.Several took to Twitter to criticize StockX for
its handling of the password reset.One customer called the email “fishy,” another called it “suspicious” and another called on the
company to explain why they had to reset passwords in this unorthodox way
Another said in a tweet that he asked StockX twice but they “refused to provide an answer.”“Guess I’m closing my account,” he
said.Read more:Slack resets user passwords after 2015 data breachCapital One breach also hit other major companies, say researchersAn
exposed password let a hacker access internal Comodo filesSecurity lapse exposed weak points on Honda’s internal networkCryptocurrency
loan site YouHodler exposed unencrypted user credit cards and transactions
