Slickwraps, which makes vinyl skins for phones, tablets, and other electronics, announced last week that it suffered a data breach. The announcement came after many customers received an email from Slickwraps that appeared to be sent by a hacker claiming to have stolen customer data.
What’s unusual about this case is how the hacker apparently breached Slickwraps’ systems: not by discovering the vulnerability on their own, but by reading a now-deleted Medium post from an anonymous fellow hacker. The takeaway is that Slickwraps may have had comically bad security, leaving it both wide open to breaches like this and flat-footed when it came to responding to any concerns brought to its attention.
In its blog post, Slickwraps said customer data in some of the company’s non-production databases was “mistakenly made public via an exploit” and that those databases were “accessed by an unauthorized party.” Slickwraps says the accessed information included names, emails, and addresses, but it did not include passwords or personal financial data. If you have ever checked out as a guest, none of your personal information was compromised, according to Slickwraps.
The company recommends users change their passwords for their Slickwraps account. It also says it will make security improvements moving forward:
This will include enhancing our security processes, improving communication of security guidelines to all Slickwraps employees, and making more of our user-requested security features our top priority in the coming months. We are also partnering with a third-party cybersecurity firm to audit and improve our security protocols.
Yesterday, Slickwraps’ CEO posted a solemn apology video on Twitter, where he said the company has already started work on a new website with a new phone case customization page that it aims to launch this year.
Slickwraps’ blog post also mentions that an “attacker” emailed customers on Friday — that seems to be the hacked email from firstname.lastname@example.org. Some Twitter users shared the hacked email, which was apparently sent to 377,428 email addresses in the company’s records.
The person who sent this email said they learned how to access Slickwraps’ data by reading a now-deleted Medium post (archived here) by an individual that goes by the alias Lynx0x00 on Medium and on their now non-existent Twitter account. Lynx0x00, whose Twitter bio in January read, “Security Researcher, White Hat Hacker, Not Axe,” claimed that Slickwraps’ phone case customization page had a vulnerability that allowed someone to “upload any file to any location in the highest directory on their server.” Lynx0x00 said they used that vulnerability to access:
- Resumes of current and past SlickWraps employees
- 9GB of customer photos uploaded to the case customization tool
- All SlickWraps admin account details, including password hashes
- All current and historical SlickWraps customer billing addresses
- All current and historical SlickWraps customer shipping addresses
- All current and historical SlickWraps customer email addresses
- All current and historical SlickWraps customer phone numbers
- All current and historical SlickWraps customer transaction history
- The company’s content management system
In their blog post, Lynx0x00 claimed they tried to contact Slickwraps by tagging the company in public tweets and sending Twitter DMs and emails to inform the company about the vulnerabilities.
This part of the story gets a little weird. At one point, @Slickwraps had blocked Lynx0x00, but @SlickwrapsHelp eventually contacted Lynx0x00 over Twitter DM, which led to a conversation where Lynx0x00 asked to be unblocked:
Lynx0x00 then sent a long DM to @Slickwraps threatening to go public with the vulnerabilities if Slickwraps didn’t do so itself:
@Slickwraps then claimed the account was run by a third party:
Lynx0x00 then emailed Slickwraps’ CEO to tell him to check his Twitter DMs. It appears Lynx0x00 found the CEO’s email by looking through company records accessed through Slickwraps’ vulnerabilities. After sending the email, Lynx0x00 was blocked by @Slickwraps once again “within three minutes.”
Right now, it’s unclear who sent the emails that went out to Slickwraps’ customers and who Lynx0x00 is, as well as whether the two are connected in any way. Lynx0x00 did say in their blog post that they “might not be the only one” in Slickwraps’ databases. The Verge has reached out to an email that appears to be associated with Lynx0x00 to ask for comment.
In its blog post, Slickwraps says the exploit has been repaired, that “all data is secured,” and that it’s working with a “third-party cybersecurity team” for analysis of the situation. The FBI has also opened an investigation, the company says.
The Verge reached out to email@example.com for comment but have not yet received a reply. The phone number on the company’s press contact page is out of service, and the link on that page to send a press email links to a blank email address.