StockX admitted to the data breach after sending an email to all its users requiring them to change their passwords due to a “system update” on Thursday.
The footwear retailer was forced to admit the hack over the weekend following a report by TechCrunch, which claimed it was approached by an anonymous data seller with access to the stolen user data.
According to the data seller, 6.8 million records were stolen from StockX in May, including users’ full names, email addresses, scrambled passwords, shoe size, trading currency and even the type of device they are using including which software version.
In order to corroborate these claims, the publication was handed a small sample of 1000 records by the data seller, which were reportedly bought from the dark web for just $300.
Users were contacted with information that only they would know from the stolen records, like their real name and shoe size, and every person who responded confirmed the information was correct.
A StockX spokesperson initially said that the company was “alerted to suspicious activity” on the site after the report was first released, but later released a further statement.
“From our investigation to date, there is no evidence to suggest that customer financial or payment information has been impacted,” the statement reads.
It added that along with the password reset, it has implemented a “system-wide security update” but refused to answer any specific questions regarding the breach.
In June the US company, founded in 2015, secured a further $110 in a Series C funding round led by DST Global, General Atlantic and GGV Capital, raising its total market valuation above the coveted $1 billion “unicorn” threshold.