Slickwraps is without doubt one of the most well-known sellers of vinyl skins for computer systems, telephones, tablets, sport consoles, and different product classes. For those who’ve ever purchased one thing from Slickwraps (with out PayPal or one other comparable service), now’s the time to exchange your bank card, as a result of the corporate has suffered a number of information breaches impacting all buyer information.
The breaches began when safety researcher ‘Lynx’ discovered a technique to add information to the basis listing of Slickwraps’ server (archived model), via the customized pores and skin picture add kind on the corporate’s web site. From there he claimed to have entry to admin particulars, buyer billing and delivery addresses, telephone numbers, API credentials for buyer help and social media accounts, and different information. The researcher ‘disclosed’ the hack to Slickwraps — and by ‘disclosed,’ I imply he stated “Hey @SlickWraps, You failed the vibe examine” in a public tweet, after which posted screenshots of buyer help messages. I do not assume that is how vulnerability disclosures work.
The general public tweets led different hackers to look into the vulnerabilities, which implies there may very well be a number of copies of all breached databases. Many Slickwraps prospects have acquired emails from a minimum of one group, which is utilizing Slickwraps’ personal contact e mail to tell prospects they’ve been hacked.
— Toneman (@Toneman) February 21, 2020
Don’t attain out. pic.twitter.com/A1udbHwwZ0
— Cesar Torres (@towerz650) February 21, 2020
— Gillerz (@mattgillerz) February 21, 2020
@SlickWraps I made an order four years in the past and I simply obtained an e mail saying that my information has been compromised, together with my e mail handle, my earlier handle and telephone quantity.
— David (@dpfjobs) February 21, 2020
There aren’t any reviews of malicious makes use of of the Slickwraps database but, nevertheless it’s all the time extremely troublesome to inform how your cost data was hacked when random purchases present up in your invoice. It is not clear if detailed cost data was accessible to hackers — the unique weblog submit solely talked about that “API credentials for PayPal Funds Professional” was available — nevertheless it’s believable that somebody with malicious intent might do extra digging and discover that information.
As of the time of publishing, the database has not been uploaded to Have I Been Pwned, an internet site the place anybody can examine if they’ve been affected by database breaches. Slickwraps has nonetheless not revealed any official response on any social media channels. We have reached out to the corporate for a press release, and we are going to replace this submit if we hear again.
Replace 1: 2020/02/21 11:30am PST by Corbin Davenport
Slickwraps has despatched out an e mail to prospects explaining that the vulnerability didn’t leak “passwords or private monetary information,” however did embody names, emails, delivery addresses, and different information. This is the complete message:
There’s nothing we worth increased than belief from our customers. In reality, our total enterprise mannequin depends on constructing long-term belief with prospects that hold coming again.
We’re reaching out to you as a result of we’ve made a mistake in violation of that belief. On February 22nd, we found data in a few of our non-production databases was mistakenly made public through an exploit. Throughout this time, the databases had been accessed by an unauthorized social gathering.
The data didn’t include passwords or private monetary information.
The data did include names, person emails, addresses For those who ever checked out as “GUEST” none of your data was comprised.
For those who had been a person with us earlier than we secured this data on February 22nd, we regretfully write this e mail as a notification that a few of your data was included in these databases. If you’re receiving this e mail and joined us after February 22nd, we write this e mail since you use our merchandise and should understand how your information is being dealt with.
Upon discovering out concerning the public person information, we took speedy motion to safe it by closing any databases in query.
As an extra safety measure, we advocate that you just reset your Slickwraps account password. Once more, no passwords had been compromised, however we advocate this as a regular security measure. Lastly, please be watchful for any phishing makes an attempt.
We’re deeply sorry for this oversight. We promise to study from this error and can make enhancements going ahead. It will embody enhancing our safety processes, bettering communication of safety tips to all Slickwraps staff, and making extra of our user-requested security measures our high precedence within the coming months. We’re additionally partnering with a third-party cyber safety agency to audit and enhance our safety protocols.
Extra particulars will comply with and we admire your persistence throughout this course of.
CEO @ Slickwraps
The assertion stated Slickwraps turned conscious of the vulnerability on “Februrary 22nd,” although the corporate is predicated in the US, the place it’s at present the 21st. It is not clear if that may be a typo, or if the message was written by somebody at Slickwraps working in one other time zone.