Slickwraps has revealed a data breach impacting over 850,000 user accounts, admitting its mistake in permitting customer records to become public.
Slickwraps is an online store that offers skins for a variety of smartphones, tablets, gaming consoles, and laptops. Last week, the company said in a blog post that on February 21, Slickwraps discovered that customer records were available and "mistakenly made public via an exploit."
Slickwraps databases were not adequately protected, leading to the exposure of customer information including names, email addresses, physical addresses, phone numbers, and purchase histories.
Customers checking out as guests were not involved in the data breach, nor was any financial data or cleartext account passwords.
"There is nothing we value higher than trust from our users. In fact, our entire business model is dependent on building long-term trust with customers that keep coming back," Jonathan Endicott, Slickwraps CEO said. "We've made a mistake in violation of that trust."
On February 21, an "attacker emailed customers connected to the breach," the company says. A screenshot of the email, posted to Twitter, included a portion of user data and urged customers to email the firm directly over the leak of their information.
Slickwraps was made aware of the breach via a post on Twitter. Troy Hunt, cybersecurity expert and the owner of Have I Been Pwned, was contacted to verify the user's claims and the FBI was alerted. The vulnerable servers were then closed down and the exploits patched over.
However, an individual who notified Slickwraps of its cybersecurity issues is also of interest. As noted by Slashgear, the person went under the name of Lynx0x00.
A Medium blog post, now deleted but available in Internet archives, documents how Slickwraps' "abysmal cybersecurity" permitted anyone to upload a file to root, leading to remote code execution (RCE) attacks and the ability to execute shell commands. A single upload.php file was at fault, according to Lynx0x00's penetration testing report.
Alongside customer information, Lynx0x00 said that API credentials were also made available and they were able to make themselves the owner of the Slickwraps ZenDesk platform and backend CMS.
Lynx0x00 claims that multiple attempts were made to open a line of communication with Slickwraps, of which warnings were ignored and the individual was blocked on social media, leading to the research becoming public. It is not known why the blog post was later deleted.
The exposed data has been added to Have I Been Pwned, a search engine that can be used to see if your information has been involved in a data breach. In total, 857,611 customer accounts were compromised.
"We are deeply sorry for this oversight," Endicott says. "We promise to learn from this mistake and will make improvements going forward. This will include enhancing our security processes, improving communication of security guidelines to all Slickwraps employees, and making more of our user-requested security features our top priority in the coming months."
An external cybersecurity firm has also been hired to perform an audit of existing security processes.
Previous and related coverage
- Google denies claims that free school Chromebooks are illegally collecting student data
- FBI recommends passphrases over password complexity
- ObliqueRAT linked to threat group launching attacks against government targets
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0