Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Slickwraps Discloses Data Breach

Slickwraps, a company that provides protection solutions and accessories for phones, computers and other devices, has revealed that user data was compromised recently after a third party accessed an unprotected database left accessible from the Internet.

Slickwraps, a company that provides protection solutions and accessories for phones, computers and other devices, has revealed that user data was compromised recently after a third party accessed an unprotected database left accessible from the Internet.

The Kansas-based company says user names, email addresses, and physical addresses were included in the databases, although no passwords or financial details were stored there.

According to Slickwraps, the incident impacted “some of our non-production databases,” all of which were immediately secured after learning of the exposure. However, the company recommends that users reset their passwords and be wary of phishing emails.

In a breach notification on their website, the company expressed regret for the incident and reassured users that it was planning several security improvements.

The company did not provide specific information on the number of impacted users, but Troy Hunt, founder of data breach notification service Have I Been Pwned, says that 858,000 unique email addresses were compromised in the data breach.

“Data also included names, physical addresses, phone numbers and purchase histories,” Hunt posted on Twitter.

In their data breach notification, Slickwraps said it became aware of the issue after being contacted by an individual via Twitter, and that it contacted Troy Hunt on February 20 to verify the authenticity of the leaked data.

That individual is a security researcher going by the online handle of Lynx, who claims in a Medium post (now removed) that he attempted to contact Slickwraps multiple times regarding the breach, but that the company blocked his account on Twitter — the researcher’s account has been removed.

According to Lynx, a vulnerability on Slickwraps’ website provided him with access to their server, where he could “achieve remote code execution and unlock the ability to execute shell commands.”

The researcher claimed he had gained access to “their entire 17GB MySQL database,” containing Slickwraps admin account details, customer data, and API credentials for MadMimi, PayPal Payments Pro, Braintree, ShipHero, Zendesk, Facebook, Twitter, and Instagram.

The researcher said he also gained full access to Slickwraps’ corporate Slack, account balances, and transaction logs for their payment gateways. Moreover, through the administrator panel, he gained “full control over their content management system.”

Lynx first tried to contact the company on February 16, via Twitter, but received no response following multiple attempts. The researcher also uploaded a proof of concept .txt file to their server and posted on Twitter about it, which resulted in Slickwraps blocking his account.

The company then started resetting passwords and changing API keys, but the researcher claimed he still had code execution access three days after the initial contact attempt. Lynx then informed Hunt of the data breach.

Following the researcher’s post on Medium, other white hat hackers too managed to access Slickwraps’ servers using the same vulnerability. Using their access to user emails, they apparently sent a mass message to 377,428 of the company’s customers, informing them of the breach.

Slickwraps, which has contacted the FBI on the issue, says the vulnerability was patched on February 21, and that all data has been secured. The company is still investigating the incident.

Related: Japanese Electronics Giant NEC Discloses Old Data Breach

Related: P&N Bank Data Breach Exposes Trove of User Data

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.