Slick wraps, which makes vinyl skins for phones, tablets and other electronics, announced last week that it suffered a data breach. The announcement came after many customers had received an e-mail of Slickwraps that appeared to have been sent by a hacker claiming to have stolen customer data.
What is special about this case is how the hacker apparently violated the systems of Slickwraps: not by discovering the vulnerability themselves, but by now deleted Average message from an anonymous fellow hacker. The problem is that Slickwraps may have had comically poor security, making it both wide open to infringements and this one and flat-footed when it came to responding to questions that were brought to its attention.
In his blog post, Slickwraps said that customer data in some of the company’s non-production databases was “accidentally disclosed through an exploit” and that those databases were “accessed by an unauthorized party.” Slickwraps says that the information consulted contained names, emails and addresses, but no passwords or personal financial information. According to Slickwraps, if you have ever checked out as a guest, none of your personal information has been compromised.
The company recommends that users change their password for their Slickwraps account. It also says it will improve security improvements in the future:
This includes improving our security processes, improving communication of security guidelines to all Slickwraps employees, and giving more priority to more of our user-requested security features in the coming months. We also work with an external cyber security company to monitor and improve our security protocols.
Yesterday the CEO of Slickwraps placed one solemn apology video on Twitter, where he said the company has already started working on a new website with a new custom page for phone cases that it wants to launch this year.
The Slickwraps blog post also mentions that an ‘attacker’ sent customers an email on Friday – that seems to be the hacked email from firstname.lastname@example.org. Some Twitter users shared the hacked email, which apparently was sent to 377,428 e-mail addresses in the company’s administration.
The person who sent this email said he learned how to access the data from Slickwraps by reading a now deleted Average message (archived here) by a person using the Lynx0x00 alias on Medium and on their now non-existent Twitter account. Lynx0x00, whose Twitter bio read in January: “Security Researcher, White Hat Hacker, Not Ax”, claimed that the customization page of the Slickwraps phone case had a vulnerability that would allow someone to “upload any file to any location in the highest folder on his server. ” Lynx said they used that vulnerability to gain access:
- CVs of current and former employees of SlickWraps
- 9 GB photos of customers uploaded to the case adjustment tool
- All SlickWraps admin account information, including password hashes
- All current and historical billing addresses of SlickWraps customers
- All current and historical shipping addresses of SlickWraps customers
- All current and historical customers’ SlickWraps email addresses
- All current and historical customers’ SlickWraps telephone numbers
- All current and historical SlickWraps customer transaction history
- The content management system of the company
In their blog post, Lynx0x00 claimed to try to contact Slickwraps by tagging the company in public tweets and sending Twitter DMs and emails to inform the company about the vulnerabilities.
This part of the story gets a little weird. At one point, @Slickwraps had blocked Lynx0x00, but @SlickwrapsHelp eventually contacted Lynx0x00 via Twitter DM, which led to a conversation where Lynx0x00 asked to unblock:
Lynx0x00 then sent a long DM to @Slickwraps that threatened to be made public with the vulnerabilities if Slickwraps had not done this themselves:
@Slickwraps then claimed that the account was managed by a third party:
Lynx0x00 then emailed the CEO of Slickwraps to tell him to check his Twitter DMs. It seems that Lynx0x00 has found the email from the CEO by viewing company records that are accessible through the vulnerabilities of Slickwraps. After sending the email, Lynx0x00 was blocked again by @Slickwraps “within three minutes”.
It is currently unclear who sent the emails sent to Slickwraps customers and who Lynx0x00 is, and whether the two are connected in any way. Lynx0x00 said in their blog post that “they may not be the only ones” in the Slickwraps databases. The edge has contacted an email that appears to be linked to Lynx0x00 to request a comment.
In his blog post, Slickwraps says that the exploit has been repaired, that “all data is secure” and that it cooperates with a “third cyber security team” to analyze the situation. The FBI has also opened an investigation, the company says.
The edge contacted email@example.com for comments but have not yet received a reply. The telephone number on the company press on contact page is out of use and the link on that page to send a press e-mail links to an empty e-mail address.