1.23.2020 8:33 PM

Features

StockX's billion-dollar sneaker empire was hacked last year. Why are customers still paying for it?

Some buyers continue to deal with fraudulent purchases, and the company's response (or lack thereof) is cause for concern.

JEFF KOWALSKY/AFP/Getty Images

On the night of November 10, Pete King was on his laptop working from home when he received an email from StockX for an order of Nike Free RN Flyknit sneakers. King, a 28-year-old from California, was charged $2,482 — an outrageous amount for a pair that sells for an average of $77 on the site. They were also purchased in women’s sizing, a detail that instantly raised a red flag in his mind. And even though the shipping address was his own, King never made this purchase.

When he tried to log into his StockX account to check on the order, someone seemingly had changed his password and locked him out of it. It was at that exact moment when a flurry of spam emails from subscription lists hit his inbox. King began to panic.

More than three months earlier, on August 1, StockX had sent an email to its users urging them to change their account passwords. The email was short on details and only referred to system updates. Upon pushback from users, the company would only go as far as admitting to receiving alerts of “suspicious activity.” Two days later, TechCrunch revealed the real reason: a data breach exposed nearly 7 million records from StockX users. It took until August 8 for StockX itself to announce the hack and what measures it was taking.

Today, some people whose accounts were compromised are still dealing with the aftermath, and StockX hasn’t been of much help. Reports of fraudulent purchases have appeared online as recently as last week. Most of these purchases involve hackers trying to get their hands on sneakers at the expense of others, but King’s case suggests hackers also seeking to sell their own shoes for insanely inflated prices.

Sneakers are booming

The sneaker resale market has exploded in recent years, with the entire market estimated to be at least $2 billion, according to banking firm Cowen & Company. That figure is expected to reach $6 billion by 2025, per the same estimate. At the top of the booming sneaker industry is StockX, which was launched in 2016 by a group of investors including Quicken Loans co-founder and Cleveland Cavaliers owner Dan Gilbert. Last summer, it became the first resale company to be valued at $1 billion.

In the nascent days of sneaker culture, eBay and forums were typically the only places to buy new sneakers that were no longer available in stores, and neither could guarantee authenticity or a lack of wear. With its comprehensive, easy-to-navigate database and in-house authentication, it’s no surprise that StockX has quickly emerged as the industry leader. Once a sale is complete, the seller ships it to StockX for an inspection. Items confirmed to be authentic have a StockX tag attached and are then shipped to the buyer. Buyers and sellers are able to place bids and asking prices, respectively, creating a user-generated market well-tuned to the demand of the secondary market.

That differs from competitors like Stadium Goods and Flight Club, although GOAT offers the same option. StockX has also expanded to offer the widest array of products, including streetwear, handbags, watches, and collectibles. But for all its success, many customers are upset by the company’s response to the recent hack and the chain reaction it may have created.

JEFF KOWALSKY/AFP/Getty Images

Reviews of StockX on TrustPilot, a third-party website for customer reviews, give an idea of widespread user frustration. Of the 2,300-plus reviews, 36 percent are “bad” — the worst possible rating. Another three and four percent are “poor” or “average,” respectively. StockX’s overall score of 2.9 places it in last place of the 32 shoe stores on the platform (GOAT is next, at 31). Since the hack became known, more than 40 reviewers on TrustPilot have reported fraudulent purchases made with their accounts. Of those, 22 have said either their claim was denied or they received no response from customer service.

StockX stopped responding to user reviews on August 7, the day before it released a statement on the hack.

On Reddit, r/StockX and r/Sneakers are also rife with complaints about the hack. Input spoke with several people whose accounts were targeted and used to make expensive purchases they never agreed to. Each provided screenshots to corroborate their experiences. Their stories put a human face on an issue that’s been vocalized across the internet, one that StockX appears to have under-acknowledged.

One of these people is Rod Geddes, a 40-year-old from Ontario, who had three Adidas Yeezy purchases — by hackers seeking delivery to the United Kingdom — for a total of approximately $800 go through in mid-December. In addition, purchases of two $5,000 Rolexes and another pair of Yeezys were automatically rejected by PayPal. StockX sent an automated refund notification after PayPal had first awarded a refund.

However, to this day, he says, no one from StockX has replied to the “12 to 15 emails” he sent in the first 24 hours, or the follow-ups every few days since. The only feedback he's received has been automated. “I’m still going to use the app for market prices on shoes,” Geddes says, “but I’ll never give them a dollar or sell through them again. I’d like to see them held accountable in any way.”

“I’ll never give them a dollar or sell through them again. I’d like to see them held accountable in any way.”

A common sentiment of those who’ve had their StockX accounts hacked, regardless of their experience afterward, is frustration that the platform hasn’t integrated two-factor authentication for account changes — most importantly password or address. That’s why King says he’ll no longer use the service, even though StockX issued him a refund the day after his account was used to purchase the pair of Nike Free RN Flyknits. He says he’s also frustrated that he was unable to speak with someone over the phone.

“When you’re in freakout mode like that, and you’re being told that the earliest someone is going to contact you about a $2,500 theft is the next business day, that’s insane,” King says. “When you go through the chat bot and it gives you the option to chat with someone, it just directs you to the email. They’re being kind of dishonest.”

While StockX made everything right for King, he says his credit limit was increased by the fraudulent purchase, which lowered his credit score. “It’s a great platform in theory, but they need to implement two-factor authentication,” he says. “It’s very, very reckless to have a system in place in which if someone gets hacked, someone can steal thousands of dollars immediately.”

A flood of complaints

Input reached out to StockX for comment about users who claimed to have received no response or had their refund requests denied, as well as the calls for two-factor verification and more avenues for customer services.

“We can’t go into specific cases, [but] I can assure you that we respond to every single customer,” StockX spokesperson Katy Cockrel said in an email. “We incorporate their feedback into our product continually, and the customer experience improves as a result. We have also taken steps to open additional channels for them to access our team directly, including rolling out the ability for customers to handle inquiries via live chat.

Iftekar Mohiuddin’s experience suggests differently. The 30-year-old from Georgia says StockX initially denied his claim of fraud. A hacker was able to purchase two pairs of Balenciaga Speed Trainers for a total of more than $1,400 in mid-December using his account to ship to another address. He says StockX initially responded by saying all purchases are final. After he filed a claim with his cardholder, American Express, StockX contacted him again days later and said he’d receive a refund because of “special circumstances.” The email also urged him not to reach out to his financial institution if this happened again.

“It's not even fishy; it’s messed up.”

That’s a troubling request, to say the least, coming from a company that hadn’t stepped up until it was strong-armed. The only other solution would be further escalation: filing a police report. “It's not even fishy; it’s messed up,” Mohiuddin says. “They’re just trying to protect themselves. If you have too many hacks through Amex, they’ll eventually terminate your ability to use Amex.”

Meanwhile, Mohiuddin complains that he’s received several pairs of supposedly mint sneakers that have shown clear signs of wear. He didn’t raise an issue because they were cheaper runners that he purchased for $30 or $40. He also says he bought a pair of Yeezys on StockX that he suspects are fake but can’t confirm. He’s far from the only one, as users have shared complaints across social media.

One such place is the Instagram account @StockXBusta. Since its creation in May 2019, it’s garnered nearly 35,000 followers as it documents user complaints with photos and screenshots as evidence. Most split into roughly two categories from buyers: fake sneakers or non-deadstock sneakers (those that have been worn, damaged, or are flawed). More than 20 cases of the former have been reported in less than a year, as well as more than 60 of the latter. Similar complaints are also common on TrustPilot and Reddit.

When StockX finally acknowledged it had been hacked, it announced infrastructure changes that included an upgraded encryption for passwords, high-frequency credential rotation on all servers and devices, and a lockdown of its cloud-computing perimeter. Additionally, all customers were offered 12 months of fraud detection and identity theft protection from MyIDCare. But given the stories we’ve shared, as well as the many more that appear online, it’s clear the company has a long way to go to satisfy its user base — in regards to the hack and beyond.

“Based on the hack, how they handle customer service, and the quality of stuff I’ve been getting,” Mohiuddin says, ”my faith in StockX has completely plummeted.”

It’s clear StockX needs to do better: The company’s very existence is predicated on new and authentic sneakers, and it has to get a tighter grip on the inadequacies of its process. What’s more, although StockX exists in a market that’s still young, there’s not a business around that shouldn’t be held accountable when users’ money and information has been exposed. “As a global tech company,” StockX’s spokesperson told Input, “we’re committed to constantly strengthening our systems to protect customers, as their safety and security remains the highest priority of the business.”

For the sake of its customers, let’s hope the company is taking these issues seriously and finds a way to respond to people’s concerns in a less shaky manner and more with a sense of urgency. It needs to set higher customer service standards for itself, and it needs to do it quickly before these problems grow out of control.