Slickwraps, which makes vinyl skins for phones, tablets, and other electronics, announced last week that it suffered a data breach. The announcement came after many customers received an email from Slickwraps that appeared to be sent by a hacker claiming to have stolen customer data.
What’s unusual about this case is how the hacker apparently breached Slickwraps’ systems: not by discovering the vulnerability on their own, but by reading a now-deleted Medium post from an anonymous fellow hacker. The takeaway is that Slickwraps may have comically bad security, leaving it both wide open to breaches like this and flat-footed when it came to responding to any concerns brought to its attention.
In its blog post, Slickwraps said customer data in some of the company non-production databases was “mistakenly made public via an exploit” and that those databases were “accessed by an unauthorized party. ” Slickwraps says the accessed information included names, emails, and addresses, but it did not include passwords or personal financial data. If you have ever checked out as a guest, none of your personal information was compromised, according to Slickwraps.
The company recommends users change their passwords for their Slickwraps account. It also says it will make security improvements moving forward:
This will include enhancing our security processes, improving communication of security guidelines to all Slickwraps employees, and making more of our user-requested security features our top priority in the coming months. We are also partnering with a third-party cybersecurity firm to audit and improve our security protocols.
Yesterday, Slickwraps’ CEO posted a
solemn apology video on Twitter , where he said the company has already started work on a new website with a new phone case customization page that it aims to launch this year.
Slickwraps ’blog post also mentions that an“ attacker ”emailed customers on Friday – that seems to be the hacked email from [email protected]. Some Twitter users shared the hacked email , which was apparently sent to , email addresses in the company records.
The person who sent this email said they learned how to access Slickwraps’ data by reading a now-deleted Medium post ( archived here ) by an individual that goes by the alias Lynx0x on medium and on their
now non-existent Twitter account . Lynx0x , whose Twitter bio in January read, “Security Researcher, White Hat Hacker, Not Ax,” Claimed that Slickwraps’ phone case customization page had a vulnerability that allowed someone to “upload any file to any location in the highest directory on their server.” Lynx0x said they used that vulnerability to access:
Resumes of current and past SlickWraps employees
- 9GB of customer photos uploaded to the case customization tool
- All SlickWraps admin account details, including password hashes
- All current and historical SlickWraps customer billing addresses
- All current and historical SlickWraps customer shipping addresses
- All current and historical SlickWraps customer email addresses
- All current and historical SlickWraps customer phone numbers
- All current and historical SlickWraps customer transaction history
- The company content management system
- In their blog post, Lynx0x 20 claimed they tried to contact Slickwraps by tagging the company in public tweets and sending Twitter DMs and emails to inform the company about the vulnerabilities.
This part of the story gets a little weird. At one point, @Slickwraps had blocked Lynx0x , but @SlickwrapsHelp eventually contacted Lynx0x 43 over Twitter DM, which led to a conversation where Lynx0x asked to be unblocked:
(The Verge) reached out to [email protected] for comment but have not yet received a reply . The phone number on the company
press contact page is out of service, and the link on that page to send a press email links to a blank email address .
(Read More )
GIPHY App Key not set. Please check settings