{"id":7,"date":"2020-11-24T19:04:58","date_gmt":"2020-11-24T18:04:58","guid":{"rendered":"https:\/\/servertest.es\/?p=7"},"modified":"2020-11-24T19:04:58","modified_gmt":"2020-11-24T18:04:58","slug":"stockx-resets-user-passwords-without-warning-techcrunch","status":"publish","type":"post","link":"https:\/\/servertest.es\/index.php\/2020\/11\/24\/stockx-resets-user-passwords-without-warning-techcrunch\/","title":{"rendered":"StockX resets user passwords without warning \u2013 TechCrunch"},"content":{"rendered":"<div>\n<p><a href=\"https:\/\/crunchbase.com\/organization\/stockx\">StockX, <span><\/span><\/a> a popular site for buying and selling sneakers and other apparel, has admitted it reset customer passwords after it was \u201calerted to suspicious activity\u201d on its site, despite telling users it was a result of \u201csystem updates.\u201d<\/p>\n<p>\u201cWe recently completed system updates on the StockX platform,\u201d said the email to customers sent to TechCrunch on Thursday. The email provided a link to a password reset page but said nothing more.<\/p>\n<p>The company was only last month valued <a href=\"https:\/\/techcrunch.com\/2019\/06\/26\/lifestyle-goods-resale-marketplace-stockx-raises-110m-pushing-valuation-past-1b\/\">at over $1 billion<\/a> after a $110 million fundraise.<\/p>\n<p>Companies reset passwords all the time for various reasons. Some security teams obtain lists of previously breached passwords that make their way online, scramble them in the same format that the company stores passwords, and find matches. By triggering the reset, it prevents passwords stolen from other sites from being used against one of a company\u2019s own customers. In less than desirable circumstances, passwords are reset following <a href=\"https:\/\/techcrunch.com\/2019\/07\/18\/slack-password-breach\/\">a data breach<\/a>.<\/p>\n<p>But the company admitted it was not \u201csystem updates\u201d as it had told its customers.<\/p>\n<p>\u201cStockX was recently alerted to suspicious activity potentially involving our platform,\u201d said StockX spokesperson Katy Cockrel. \u201cOut of an abundance of caution, we implemented a security update and proactively asked our community to update their account passwords.\u201d<\/p>\n<p>\u201cWe are continuing to investigate,\u201d said the spokesperson.<\/p>\n<div><img decoding=\"async\" src=\"https:\/\/techcrunch.com\/wp-content\/uploads\/2019\/08\/egOZmJK-1.jpg\" alt=\"egOZmJK 1\" srcset=\"https:\/\/techcrunch.com\/wp-content\/uploads\/2019\/08\/egOZmJK-1.jpg 990w, https:\/\/techcrunch.com\/wp-content\/uploads\/2019\/08\/egOZmJK-1.jpg?resize=150,118 150w, https:\/\/techcrunch.com\/wp-content\/uploads\/2019\/08\/egOZmJK-1.jpg?resize=300,235 300w, https:\/\/techcrunch.com\/wp-content\/uploads\/2019\/08\/egOZmJK-1.jpg?resize=768,602 768w, https:\/\/techcrunch.com\/wp-content\/uploads\/2019\/08\/egOZmJK-1.jpg?resize=680,533 680w, https:\/\/techcrunch.com\/wp-content\/uploads\/2019\/08\/egOZmJK-1.jpg?resize=50,39 50w\"><\/p>\n<p>The password reset email sent by StockX on Thursday (Image: supplied)<\/p>\n<\/div>\n<p>We asked several follow-up questions \u2014 including who alerted StockX to the suspicious activity, if any customer data was compromised and why it misrepresented the reason for the password reset. We\u2019ll have more when we know it.<\/p>\n<p>Throughout the day customers were tweeting screenshots of the email, worried that their accounts had been compromised. Others questioned whether the email was genuine or if it was part of a phishing attack.<\/p>\n<p>\u201cDid they get hacked, find out somehow, and then to cover it up send out that email and ask for a password change?,\u201d one of the affected customers told TechCrunch.<\/p>\n<p>Customers were given no prior warning of the password reset.<\/p>\n<p>StockX founder Josh Luber kept with the company\u2019s line, telling a customer in <a href=\"https:\/\/twitter.com\/joshluber\/status\/1156952347731529729\">a tweet<\/a> that <span>the password reset was \u201clegit\u201d but did not respond to users asking why.<\/span><\/p>\n<p>StockX tweeted back to several customers with a boilerplate response: \u201cThe password reset email you received is legitimate and came from our team,\u201d and to contact the support email with any questions. We did just that \u2014 from our TechCrunch email address \u2014 and heard nothing back hours later.<\/p>\n<p>Security experts expressed doubt that a company would reset passwords over a \u201csystems update\u201d as StockX had claimed.<\/p>\n<p>Security researcher John Wethington said it is \u201crare\u201d to see security overhauls that require password resets. \u201cYou wouldn\u2019t just send out a random email about it,\u201d he said. Jake Williams, founder of Rendition Infosec, said it was \u201cbad communication\u201d in any case.<\/p>\n<p>Several took to Twitter to criticize StockX for its handling of the password reset.<\/p>\n<p>One customer <a href=\"https:\/\/twitter.com\/stockx\/status\/1156969053858275329\">called<\/a> the email \u201cfishy,\u201d another <a href=\"https:\/\/twitter.com\/stockx\/status\/1157009557002043392\">called<\/a> it \u201csuspicious\u201d and another called on the company <a href=\"https:\/\/twitter.com\/MCasiyo\/status\/1157021460508172290\">to explain<\/a> why they had to reset passwords in this unorthodox way. Another said <a href=\"https:\/\/twitter.com\/mjadalhack\/status\/1156976701903183877\">in a tweet<\/a> that he asked StockX twice but they \u201crefused to provide an answer.\u201d<\/p>\n<p>\u201cGuess I\u2019m closing my account,\u201d he <a href=\"https:\/\/twitter.com\/mjadalhack\/status\/1156973585094852615\">said<\/a>.<\/p>\n<p><strong>Read more:<\/strong><br \/>\n<a href=\"https:\/\/techcrunch.com\/2019\/07\/18\/slack-password-breach\/\">Slack resets user passwords after 2015 data breach<\/a><br \/>\n<a href=\"https:\/\/techcrunch.com\/2019\/07\/31\/capital-one-breach-vodafone-ford-researchers\/\">Capital One breach also hit other major companies, say researchers<\/a><br \/>\n<a href=\"https:\/\/techcrunch.com\/2019\/07\/27\/comodo-password-access-data\/\">An exposed password let a hacker access internal Comodo files<\/a><br \/>\n<a href=\"https:\/\/techcrunch.com\/2019\/07\/31\/security-lapse-exposed-weak-points-on-hondas-internal-network\/\">Security lapse exposed weak points on Honda\u2019s internal network<\/a><br \/>\n<a href=\"https:\/\/techcrunch.com\/2019\/07\/24\/youhodler-exposed-unencrypted-credit-cards-transactions\/\">Cryptocurrency loan site YouHodler exposed unencrypted user credit cards and transactions<\/a><\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>StockX, a popular site for buying and selling sneakers and other apparel, has admitted it reset customer passwords after it was \u201calerted to suspicious activity\u201d on its site, despite telling users it was a result of \u201csystem updates.\u201d \u201cWe recently completed system updates on the StockX platform,\u201d said the email to customers sent to TechCrunch &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/servertest.es\/index.php\/2020\/11\/24\/stockx-resets-user-passwords-without-warning-techcrunch\/\" class=\"more-link\">Seguir leyendo<span class=\"screen-reader-text\"> \u00abStockX resets user passwords without warning \u2013 TechCrunch\u00bb<\/span><\/a><\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-7","post","type-post","status-publish","format-standard","hentry","category-sin-categoria","entry"],"_links":{"self":[{"href":"https:\/\/servertest.es\/index.php\/wp-json\/wp\/v2\/posts\/7"}],"collection":[{"href":"https:\/\/servertest.es\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/servertest.es\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/servertest.es\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/servertest.es\/index.php\/wp-json\/wp\/v2\/comments?post=7"}],"version-history":[{"count":1,"href":"https:\/\/servertest.es\/index.php\/wp-json\/wp\/v2\/posts\/7\/revisions"}],"predecessor-version":[{"id":13,"href":"https:\/\/servertest.es\/index.php\/wp-json\/wp\/v2\/posts\/7\/revisions\/13"}],"wp:attachment":[{"href":"https:\/\/servertest.es\/index.php\/wp-json\/wp\/v2\/media?parent=7"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/servertest.es\/index.php\/wp-json\/wp\/v2\/categories?post=7"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/servertest.es\/index.php\/wp-json\/wp\/v2\/tags?post=7"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}