in Business

Slickwraps apologizes to customers after comically bad data breach – The Verge, The Verge

1.8k Views

Slickwraps apologizes to customers after comically bad data breach – The Verge, The Verge
  

Slickwraps, which makes vinyl skins for phones, tablets, and other electronics, announced last week that it suffered a data breach. The announcement came after many customers received an email from Slickwraps that appeared to be sent by a hacker claiming to have stolen customer data.

What’s unusual about this case is how the hacker apparently breached Slickwraps’ systems: not by discovering the vulnerability on their own, but by reading a now-deleted Medium post from an anonymous fellow hacker. The takeaway is that Slickwraps may have comically bad security, leaving it both wide open to breaches like this and flat-footed when it came to responding to any concerns brought to its attention.

In its blog post, Slickwraps said customer data in some of the company non-production databases was “mistakenly made public via an exploit” and that those databases were “accessed by an unauthorized party. ” Slickwraps says the accessed information included names, emails, and addresses, but it did not include passwords or personal financial data. If you have ever checked out as a guest, none of your personal information was compromised, according to Slickwraps.

The company recommends users change their passwords for their Slickwraps account. It also says it will make security improvements moving forward:

This will include enhancing our security processes, improving communication of security guidelines to all Slickwraps employees, and making more of our user-requested security features our top priority in the coming months. We are also partnering with a third-party cybersecurity firm to audit and improve our security protocols.

Yesterday, Slickwraps’ CEO posted a

solemn apology video on Twitter , where he said the company has already started work on a new website with a new phone case customization page that it aims to launch this year.

Slickwraps ’blog post also mentions that an“ attacker ”emailed customers on Friday – that seems to be the hacked email from [email protected]. Some Twitter users shared the hacked email , which was apparently sent to , email addresses in the company records.

The person who sent this email said they learned how to access Slickwraps’ data by reading a now-deleted Medium post ( archived here ) by an individual that goes by the alias Lynx0x on medium and on their

now non-existent Twitter account . Lynx0x , whose Twitter bio in January read, “Security Researcher, White Hat Hacker, Not Ax,” Claimed that Slickwraps’ phone case customization page had a vulnerability that allowed someone to “upload any file to any location in the highest directory on their server.” Lynx0x said they used that vulnerability to access:

    Resumes of current and past SlickWraps employees

    • 9GB of customer photos uploaded to the case customization tool
    • All SlickWraps admin account details, including password hashes
    • All current and historical SlickWraps customer billing addresses
    • All current and historical SlickWraps customer shipping addresses
    • All current and historical SlickWraps customer email addresses
    • All current and historical SlickWraps customer phone numbers
    • All current and historical SlickWraps customer transaction history
    • The company content management system

    • In their blog post, Lynx0x 20 claimed they tried to contact Slickwraps by tagging the company in public tweets and sending Twitter DMs and emails to inform the company about the vulnerabilities.

      This part of the story gets a little weird. At one point, @Slickwraps had blocked Lynx0x , but @SlickwrapsHelp eventually contacted Lynx0x 43 over Twitter DM, which led to a conversation where Lynx0x asked to be unblocked:

        

               

                     

                                             Image: Lynx0x                (Lynx0x) then sent a long DM to @Slickwraps threatening to go public with the vulnerabilities if Slickwraps did not so itself :

        

                                                                       Image: Lynx0x                @Slickwraps then claimed the account was run by a third party:

        

               

                      115236                                        Image: Lynx0x                (Lynx0x) then emailed Slickwraps’ CEO to tell him to check his Twitter DMs. It appears Lynx0x The CEO’s email by looking through company records accessed through Slickwraps’ vulnerabilities. After sending the email, Lynx0x 20 was blocked by @Slickwraps once again “within three minutes.”

      Right now, it’s unclear who sent the emails that went out to Slickwraps’ customers and who Lynx0x 20 is, as well as whether the two are connected in any way. Lynx0x did say in their blog post that they “might not be the only one” in Slickwraps’ databases . (The Verge) has reached out to an email that appears to be associated with Lynx0x to ask for comment.

      In its blog post, Slickwraps says the exploit has been repaired, that “all data is secured,” and that it’s working with a “third-party cybersecurity team” for analysis of the situation . The FBI has also opened an investigation, the company says.

      (The Verge) reached out to [email protected] for comment but have not yet received a reply . The phone number on the company

      press contact page is out of service, and the link on that page to send a press email links to a blank email address .

      (Read More )

What do you think?

0 Points
Upvote Downvote

Leave a Reply

Your email address will not be published. Required fields are marked *

GIPHY App Key not set. Please check settings

Who is Bob Chapek, Disney's new CEO? – CNN, CNN

Who is Bob Chapek, Disney's new CEO? – CNN, CNN
Bernie takes heavy fire, Biden goes after Steyer in S.C. debate – POLITICO, Politico

Bernie takes heavy fire, Biden goes after Steyer in S.C. debate – POLITICO, Politico