Slickwraps says customer trust was ‘violated’ in data breach caused by glaring security holes

A security researcher’s warnings were reportedly ignored.
Written by Charlie Osborne, Contributing Writer

Slickwraps has revealed a data breach impacting over 850,000 user accounts, admitting its mistake in permitting customer records to become public. 

Slickwraps is an online store that offers skins for a variety of smartphones, tablets, gaming consoles, and laptops. Last week, the company said in a blog post that on February 21, Slickwraps discovered that customer records were available and "mistakenly made public via an exploit." 

Slickwraps databases were not adequately protected, leading to the exposure of customer information including names, email addresses, physical addresses, phone numbers, and purchase histories. 

Customers checking out as guests were not involved in the data breach, nor was any financial data or cleartext account passwords. 

"There is nothing we value higher than trust from our users. In fact, our entire business model is dependent on building long-term trust with customers that keep coming back," Jonathan Endicott, Slickwraps CEO said. "We've made a mistake in violation of that trust."

See also: This is the impact of a data breach on enterprise share prices

On February 21, an "attacker emailed customers connected to the breach," the company says. A screenshot of the email, posted to Twitter, included a portion of user data and urged customers to email the firm directly over the leak of their information. 

Slickwraps was made aware of the breach via a post on Twitter. Troy Hunt, cybersecurity expert and the owner of Have I Been Pwned, was contacted to verify the user's claims and the FBI was alerted. The vulnerable servers were then closed down and the exploits patched over. 

However, an individual who notified Slickwraps of its cybersecurity issues is also of interest. As noted by Slashgear, the person went under the name of Lynx0x00. 

A Medium blog post, now deleted but available in Internet archives, documents how Slickwraps' "abysmal cybersecurity" permitted anyone to upload a file to root, leading to remote code execution (RCE) attacks and the ability to execute shell commands. A single upload.php file was at fault, according to Lynx0x00's penetration testing report. 

CNET: SIM swap fraud: What it is, why you should care and how to protect yourself

Alongside customer information, Lynx0x00 said that API credentials were also made available and they were able to make themselves the owner of the Slickwraps ZenDesk platform and backend CMS. 

Lynx0x00 claims that multiple attempts were made to open a line of communication with Slickwraps, of which warnings were ignored and the individual was blocked on social media, leading to the research becoming public. It is not known why the blog post was later deleted.

The exposed data has been added to Have I Been Pwned, a search engine that can be used to see if your information has been involved in a data breach. In total, 857,611 customer accounts were compromised. 

TechRepublic: MGM Hotel breach highlights need for sophisticated cloud security

"We are deeply sorry for this oversight," Endicott says. "We promise to learn from this mistake and will make improvements going forward. This will include enhancing our security processes, improving communication of security guidelines to all Slickwraps employees, and making more of our user-requested security features our top priority in the coming months." 

An external cybersecurity firm has also been hired to perform an audit of existing security processes. 

10 worst hacks and data breaches of 2019 (in pictures)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards