It looks like this week is dead set on proving that old superstition about bad omens: They always come in threes.
First Capital One announced a massive data breach. Then the Entertainment Software Association leaked a bunch of professionals’ personal information. And now multiple reports say the “system updates” StockX claimed to have earlier this week were actually the result of a hacker making off with 6.8 customers’ records.
Topping off this trash heap of news, the full scale of this last breach only came to light after a black market data seller reportedly approached TechCrunch claiming (and later, proving) they had their hands on the stolen data.
On Thursday, users received a password reset email from StockX, a popular fashion and sneaker trading site recently valued at more than $1 billion. The company’s message attributed the reset to “recently completed system updates on the StockX platform.” When pressed by reporters though, that answer quickly changed.
“StockX was recently alerted to suspicious activity potentially involving our platform,” a company spokesperson told Engadget on Thursday without commenting further.
According to the report TechCrunch released Saturday, a data seller informed them a hacker stole 6.8 million records from StockX back in May, data they subsequently bought from an undisclosed source. TechCrunch verified the claims using a sample of 1,000 records the seller provided to contact users and confirm information only they would know.
The next day, StockX provided a statement to Engadget confirming a breach occurred and detailing the stolen data. The lot included important personal information like user’s names, email addresses, and hashed passwords along with not so important personal information, like their shoes sizes and trading currencies.
“From our investigation to date, there is no evidence to suggest that customer financial or payment information has been impacted,” the statement reads.
Along with the password reset and other security measures, StockX also implemented a “system-wide security update” after discovering the breach, according to the statement. So that first email may have technically been true, even if it did leave out the whole “huge data breach” bit.
As to why the lack of transparency, the company said it had incomplete information since the investigation has been ongoing. After that TechCrunch report, though, their information seems to have firmed up in record time.
As of writing this, the seller’s purportedly already sold the data for $300 on the dark web, according to TechCrunch.
Gizmodo has reached out to StockX for comment, and will update this story with their response.