A researcher with the alias Lynx0x00 discovered security flaws in Slickwraps systems, after which he/she sent emails to customers using the company’s email address as Slickwraps remained hesitant to adequately disclose the incident to their customers.
Slickwraps Data Breach
Reportedly, Slickwraps, an online store offering skins for various smartphones, tablets, laptops and game consoles, has suffered a security incident.
The news surfaced online after a hacker with the alias Lynx0x00 shared a detailed report in a Medium blog. Though the blog is now not available online, one can still access the archived version though.
As elaborated through the report, the researcher found a vulnerability in Slickwraps systems that allowed remote code execution attacks. The system with “abysmal cybersecurity” had exposed the entire database to any potential adversary. According to the hacker,
Anyone with the right toolkit could upload any file to any location in the highest directory on their server (i.e. the “webroot”).
The hacker exploited the flaws and could also access the database. In fact, he gained complete control of the database and could delete the “entire company” anytime.
However, things changed from a security discovery into a security breach when the hacker sent emails to the firm’s customers. That too, from the legit email address of the firm. This is what the customers received which enraged them.
Hey @SlickWraps, sorry to hear about your data breach. Even more sorry to see that you've kept my data for FIVE YEARS in blatant violation of GDPR. I'm reporting you now and I expect a lot of your EU customers will do the same. Info on GDPR fines: https://t.co/wb7BUMlWcp pic.twitter.com/pGVUGdi54C
— Soren Siim (@SorenSiim) February 21, 2020
@SlickWraps @SlickwrapsHelp @FOXLA hey slick wraps. What’s this email I received??? Can you please email me. Thank you pic.twitter.com/PFQuBNuhtO
— Alex Quintana (@alexqui1986) February 21, 2020
Hey @SlickWraps, what the F?! Care to explain? pic.twitter.com/mVSYj4HM83
— Alex Pop (@alexpopguy) February 21, 2020
He justified this action as a resort to save users’ privacy since Slickwraps paid no heed to his notifications. Rather they blocked him on Twitter and began conducting various security steps on their system even to the extent of reinstalling their Magento eCommerce Platform in an attempt to cover up the breach.
What Next?
Lynx0x00 revealed that the flaw he found was a serious one that even caught the attention of other pentesters as well. Considering the gravity of the matter, he disclosed the matter publicly via a Medium post and his Twitter account. The latter, however can only be found in archives after it was deleted.
Nonetheless, these attempts at least compelled the firm to admit the security breach. As per the notice signed by their CEO,
On February 21st, we discovered customer data in some of our non-production databases was mistakenly made public via an exploit. During this time, the databases were accessed by an unauthorized party.
Slickwraps assured in their notice that the incident did not affect customers’ passwords and financial details. Though, it did affect the personal details of the customers such as names, email addresses, and physical addresses.
Moreover, they also assured that the incident did not affect any users checking in via Guest accounts. Though, some users did not agree with this.
I always checked out as guest, have no account. Still I got TWO emails from the hackers. Your negligence is criminal
— Kyle Ross (@kyledreadful) February 21, 2020
Slickwraps’ details are in contrast to the hackers’ findings who accessed much more data. The data of 857,611 compromised accounts is now also available on the Have I Been Pwned website.
Let us know your thoughts in the comments.