Skip to main content

Slickwraps hit by customer data breach

(Image credit: Pixabay)

Slickwraps, a company that makes vinyl skins for popular gadgets, has revealed that its website was compromised, and personal details of its customers exposed.

The company tweeted that an “unauthorized party” had gained access to its database, breaching details including customer names, email ids and addresses, although passwords and credit card information were unaffected.

The hack was uncovered by a security researcher named Lynx, who shared a Medium post stating that he was able to access Slickwraps’s server in January using a vulnerability in the custom skin image upload section of the website. 

Breach

In his post, Lynx mentioned that he not only got access to admin details, customer billing and shipping addresses, phone numbers, customer photos but also obtained access to internal details including the resumes of employees, ZenDesk ticketing system, API credentials and even social media accounts.

The researcher took to Twitter to inform Slickwraps about the vulnerabilities; however, the company's support team appeared clueless about his claims. 

While all his tweets and the medium post are now deleted, Lynx mentioned that since the vulnerability is still not fixed, other hackers might be able to access the data. Rather than acting on his information, Lynx was blocked on Twitter by the Slickwraps social media team.

Following the disclosure, hackers were eventually able to get hold of the data and sent an email to over 377,000 customers using Slickwraps official support ID informing them about the compromise. As of now, there is no report of malicious use of personal details. 

Slickwraps issued a statement accepting the breach and apologized to the customers with a promise to enhance their security process. The company also announced that it will partner with a third-party cyber security firm for a security audit and implement their suggestions to improve security protocols.

The official statement from Slickwraps reads “There is nothing we value higher than trust from our users. We are reaching out to you because we've made a mistake in violation of that trust. On February 21st, we discovered information in some of our non-production databases was mistakenly made public via an exploit. During this time, the databases were accessed by an unauthorized party.

The information did not contain passwords or personal financial data. The information did contain names, user emails, addresses.”

Via:AndroidPolice