The fallout from the hack that affected millions of users’ data at resale platform StockX last summer isn’t over yet. According to court documents, the company is defending a class-action lawsuit filed in the Eastern District of Michigan. In it, a consolidated group of plaintiffs accuse StockX, which is headquartered in Detroit, of failing to safeguard their personal information and deceiving them about the distribution of that info.
Tech Crunch first reported on the data breach in August 2019, writing that hackers were selling user information from StockX on the dark web. “The stolen data contained names, email addresses, scrambled password (believed to be hashed with the MD5 algorithm and salted), and other profile information,” Tech Crunch security editor Zack Whittaker wrote.
The story broke after StockX sent out an email that month saying users needed to update their passwords because of “system updates.” In fact, it prompted the change because of the hack, which the company hadn’t yet disclosed. In the weeks and months that followed, users regularly shared frustrations on social media, writing about their accounts being compromised.
In an August 2020 episode of the Complex Sneakers Podcast, StockX co-founder Josh Luber declined to comment on the suit, but spoke on the company’s reaction to the data breach.
“We didn’t have enough information to make a full disclosure, to say everything that was going on,” Luber said, “but we knew that we needed to update everyone’s passwords and lock everything down ASAP.”
Luber, who has long been the public face of StockX, left the company this week. He said in a Business of Fashion interview that he plans to launch another startup in the future. His last business with StockX is today.
The active complaint against StockX over the data breach was filed in August 2019 by an unnamed minor. It now lists Adam Foote, Anthony Giampetro, Kwadwo Kissi, Richard Harrington, Johnny Sacasas, and Chad Bolling, along with another unnamed minor, as the plaintiffs.
In court documents, they share stories of stolen identities, fraudulent sneaker purchases, and their ongoing efforts to safeguard their information. The plaintiffs say that they didn’t receive notice of the data breach until Aug. 8, 2019, 13 days after StockX learned of it. This, according to the lawsuit, happened three months after the hack took place in May 2019.
The plaintiffs are asking for monetary damages in an amount that would be determined at a potential trial. StockX is trying to avoid that outcome, though—in a motion filed in July and signed by its VP of product development, Stephen Winn, the company argued that the plaintiffs signed away their right to a class-action suit when they agreed to StockX’s terms of service. By agreeing to the terms, StockX says, users have created a legal contract obligating them to bring claims through binding and final arbitration.
“Unless you opt out you will only be permitted to bring claims against us and seek relief on an individual basis,” StockX’s terms of service read, “not as a plaintiff or class member in any class or representative action or proceeding.”
In one all-caps section, the terms establish that signees agree to waive their rights to a trial by jury for any dispute relating to their use of StockX. Instead, they must resolve issues through arbitration, a legal process in which a third party (usually a lawyer or retired judge) makes a decision on a case without a jury.
StockX’s motion says that, despite their proclaimed concerns over the spread of their personal information, the plaintiffs have not requested their StockX accounts be deleted. Per the company, one of the minors in the suit never even conducted any transactions on his account.
The plaintiffs filed a response on Aug. 26 asking the court to dismiss StockX’s push for arbitration. In their brief, they say that the minor plaintiffs can’t be forced into arbitration against their will and that the clauses in the company’s terms of service around arbitration are “procedurally and substantively unconscionable.” StockX has until Sept. 30 to reply.
A spokesman for StockX declined to comment for this story, saying that the company does not comment on ongoing legal matters.