Slickwraps, which makes cases for mobile devices, announced that it suffered a data breach. The company announced the incident after its customers received an email from Slickwraps that appeared to be from a hacker who allegedly stole customer data. The email was sent from a Slickwraps email address to 377,428 email addresses. However, the breach affected more than 850,000 accounts. The hacker was able to gain access to this information through a vulnerability in one of the company website’s pages.
Slickwraps apologized to its customers and stated that “customer data in some of our non-production databases was mistakenly made public via an exploit. During this time, the databases were accessed by an unauthorized party. The information did not contain passwords or personal financial data. The information did contain names, user emails, addresses If you ever checked out as “GUEST” none of your information was compromised.” Slickwraps suggested that users change their account passwords.
The company noted that “[t]here is nothing we value higher than trust from our users. In fact, our entire business model is dependent on building long-term trust with customers that keep coming back.” Slickwraps noted the ways that it will work to improve security. Improvements will include: “enhancing our security processes, improving communication of security guidelines to all Slickwraps employees, and making more of our user-requested security features our top priority in the coming months. We are also partnering with a third-party cybersecurity firm to audit and improve our security protocols.” The company provided a timeline of the events that occurred.
The hacker stated that they learned how to hack Slickwrap from a since-deleted Medium blog post, which has been archived. The user posting the account goes by the pseudonym Lynx0x00, and describes themselves as a security researcher. This information was also posted on Twitter. Lynx0x00 stated that Slickwrap’s phone case customization page had a vulnerability in it which allowed upload of “any file to any location in the highest directory on their server.” The anonymous user stated that they decided to write the post because “I have exhausted all other options…I notified SlickWraps multiple times of their egregious security vulnerabilities which (still) exist on their Magento-based eCommerce platform.” They claimed that Slickwraps did not take their advice or make any efforts to fix the security vulnerabilities; instead, the company “blocked and ignored” the user.
The user noted that their security was “just as abhorrent as rumors suggested.” They were able to gain access to private company information, including, access to the company’s account balances and transaction logs. The user also gained full access to its content management system. They noted, “At this point, I could have deleted their entire company. Fortunately for SlickWraps, I had no nefarious intent. As I’ve done countless times before, I put things back where they belonged, left quietly, and prepared to disclose a severe vulnerability report.” Slickwraps has since hired an outside security firm to audit their existing security processes.
The recent data breach is not the only issue facing Slickwraps. Last fall, Pearl Delta Funding filed suit for breach of contract, alleging that Slickwraps failed to deliver on an agreement that involved the “purchase of [Slickwrap’s] future receivables.”