It has been reported that fashion and sneaker trading platform, StockX, pushed out a password reset email to its users on Thursday citing “system updates,” but left users confused and scrambling for answers. StockX told users that the email was legitimate and not a phishing email as some had suspected, but did not say what caused the alleged system update or why there was no prior warning. A spokesperson eventually told TechCrunch that the company was “alerted to suspicious activity” on its site but declined to comment further. But that wasn’t the whole truth.
An unnamed data breached seller contacted TechCrunch claiming more than 6.8 million records were stolen from the site in May by a hacker. The stolen data contained names, email addresses, scrambled password (believed to be hashed with the MD5 algorithm and salted), and other profile information — such as shoe size and trading currency. The data also included the user’s device type, such as Android or iPhone, and the software version.
When communicating IT and security issues to the general public, and specifically to customers, it’s important to place yourself in their shoes when crafting the message. With a long list of breach disclosures in the past 24 months, and no real sign of that disclosure flow abating, the public is increasingly growing numb to any new disclosure. Despite this, the disclosure process is the first opportunity an organisation has to rebuild their brand following the damaging act. As a result, its often best to offer a clear explanation of what happened, what users need to do to protect themselves and what the organization is doing to ensure they continue to earn customer trust. Masking the nature of the problem under a banner of “system updates” really only succeeds in keeping the negative news top of mind for customers as it inevitably dribbles out.
Of course behind the scenes there is likely considerable activity including root cause analysis from forensics teams, law enforcement involvement, and legal assessments of disclosure requirements defined by regulators in the areas where the customer base is located. While these items will undoubtedly result in changes to business operations, it’s important to include a review of application development practices and threat models in these post-breach activities. This is due to the reality that the malicious actors often perform a reconnaissance sweep of the environment looking for any weaknesses and then exploit the easiest and most profitable attack. If an organisation fails to assess their entire application security and production deployment environment, they could easily leave actors with valuable knowledge that could form part of a future attack.