StockX, a popular site for buying and selling sneakers and other apparel, has admitted it reset customer passwords after it was “alerted to suspicious activity” on its site, despite telling users it was a result of “system updates.”
“We recently completed system updates on the StockX platform,” said the email to customers sent to TechCrunch on Thursday. The email provided a link to a password reset page but said nothing more.
The company was only last month valued at over $1 billion after a $110 million fundraise.
Companies reset passwords all the time for various reasons. Some security teams obtain lists of previously breached passwords that make their way online, scramble them in the same format that the company stores passwords, and find matches. By triggering the reset, it prevents passwords stolen from other sites from being used against one of a company’s own customers. In less than desirable circumstances, passwords are reset following a data breach.
But the company admitted it was not “system updates” as it had told its customers.
“StockX was recently alerted to suspicious activity potentially involving our platform,” said StockX spokesperson Katy Cockrel. “Out of an abundance of caution, we implemented a security update and proactively asked our community to update their account passwords.”
“We are continuing to investigate,” said the spokesperson.
We asked several follow-up questions — including who alerted StockX to the suspicious activity, if any customer data was compromised and why it misrepresented the reason for the password reset. We’ll have more when we know it.
Throughout the day customers were tweeting screenshots of the email, worried that their accounts had been compromised. Others questioned whether the email was genuine or if it was part of a phishing attack.
“Did they get hacked, find out somehow, and then to cover it up send out that email and ask for a password change?,” one of the affected customers told TechCrunch.
Customers were given no prior warning of the password reset.
StockX founder Josh Luber kept with the company’s line, telling a customer in a tweet that the password reset was “legit” but did not respond to users asking why.
StockX tweeted back to several customers with a boilerplate response: “The password reset email you received is legitimate and came from our team,” and to contact the support email with any questions. We did just that — from our TechCrunch email address — and heard nothing back hours later.
Security experts expressed doubt that a company would reset passwords over a “systems update” as StockX had claimed.
Security researcher John Wethington said it is “rare” to see security overhauls that require password resets. “You wouldn’t just send out a random email about it,” he said. Jake Williams, founder of Rendition Infosec, said it was “bad communication” in any case.
Several took to Twitter to criticize StockX for its handling of the password reset.
One customer called the email “fishy,” another called it “suspicious” and another called on the company to explain why they had to reset passwords in this unorthodox way. Another said in a tweet that he asked StockX twice but they “refused to provide an answer.”
“Guess I’m closing my account,” he said.
Read more: Slack resets user passwords after 2015 data breach Capital One breach also hit other major companies, say researchers An exposed password let a hacker access internal Comodo files Security lapse exposed weak points on Honda’s internal network Cryptocurrency loan site YouHodler exposed unencrypted user credit cards and transactions