[BreachExchange] Slickwraps hit by customer data breach

[Destry Winant]

https://www.techradar.com/news/slickwraps-hit-by-customer-data-breach

Slickwraps, a company that makes vinyl skins for popular gadgets, has
revealed that its website was compromised, and personal details of its
customers exposed.

The company tweeted that an “unauthorized party” had gained access to
its database, breaching details including customer names, email ids
and addresses, although passwords and credit card information were
unaffected.

The hack was uncovered by a security researcher named Lynx, who shared
a Medium post stating that he was able to access Slickwraps’s server
in January using a vulnerability in the custom skin image upload
section of the website.

In his post, Lynx mentioned that he not only got access to admin
details, customer billing and shipping addresses, phone numbers,
customer photos but also obtained access to internal details including
the resumes of employees, ZenDesk ticketing system, API credentials
and even social media accounts.

The researcher took to Twitter to inform Slickwraps about the
vulnerabilities; however, the company's support team appeared clueless
about his claims.

While all his tweets and the medium post are now deleted, Lynx
mentioned that since the vulnerability is still not fixed, other
hackers might be able to access the data. Rather than acting on his
information, Lynx was blocked on Twitter by the Slickwraps social
media team.

Following the disclosure, hackers were eventually able to get hold of
the data and sent an email to over 377,000 customers using Slickwraps
official support ID informing them about the compromise. As of now,
there is no report of malicious use of personal details.

Slickwraps issued a statement accepting the breach and apologized to
the customers with a promise to enhance their security process. The
company also announced that it will partner with a third-party cyber
security firm for a security audit and implement their suggestions to
improve security protocols.

The official statement from Slickwraps reads “There is nothing we
value higher than trust from our users. We are reaching out to you
because we've made a mistake in violation of that trust. On February
21st, we discovered information in some of our non-production
databases was mistakenly made public via an exploit. During this time,
the databases were accessed by an unauthorized party.

The information did not contain passwords or personal financial data.
The information did contain names, user emails, addresses.”