Slickwraps, a company that provides protection solutions and accessories for phones, computers and other devices, has revealed that user data was compromised recently after a third party accessed an unprotected database left accessible from the Internet.
The Kansas-based company says user names, email addresses, and physical addresses were included in the databases, although no passwords or financial details were stored there.
According to Slickwraps, the incident impacted “some of our non-production databases,” all of which were immediately secured after learning of the exposure. However, the company recommends that users reset their passwords and be wary of phishing emails.
In a breach notification on their website, the company expressed regret for the incident and reassured users that it was planning several security improvements.
The company did not provide specific information on the number of impacted users, but Troy Hunt, founder of data breach notification service Have I Been Pwned, says that 858,000 unique email addresses were compromised in the data breach.
“Data also included names, physical addresses, phone numbers and purchase histories,” Hunt posted on Twitter.
In their data breach notification, Slickwraps said it became aware of the issue after being contacted by an individual via Twitter, and that it contacted Troy Hunt on February 20 to verify the authenticity of the leaked data.
That individual is a security researcher going by the online handle of Lynx, who claims in a Medium post (now removed) that he attempted to contact Slickwraps multiple times regarding the breach, but that the company blocked his account on Twitter — the researcher’s account has been removed.
According to Lynx, a vulnerability on Slickwraps’ website provided him with access to their server, where he could “achieve remote code execution and unlock the ability to execute shell commands.”
The researcher claimed he had gained access to “their entire 17GB MySQL database,” containing Slickwraps admin account details, customer data, and API credentials for MadMimi, PayPal Payments Pro, Braintree, ShipHero, Zendesk, Facebook, Twitter, and Instagram.
The researcher said he also gained full access to Slickwraps’ corporate Slack, account balances, and transaction logs for their payment gateways. Moreover, through the administrator panel, he gained “full control over their content management system.”
Lynx first tried to contact the company on February 16, via Twitter, but received no response following multiple attempts. The researcher also uploaded a proof of concept .txt file to their server and posted on Twitter about it, which resulted in Slickwraps blocking his account.
The company then started resetting passwords and changing API keys, but the researcher claimed he still had code execution access three days after the initial contact attempt. Lynx then informed Hunt of the data breach.
Following the researcher’s post on Medium, other white hat hackers too managed to access Slickwraps’ servers using the same vulnerability. Using their access to user emails, they apparently sent a mass message to 377,428 of the company’s customers, informing them of the breach.
Slickwraps, which has contacted the FBI on the issue, says the vulnerability was patched on February 21, and that all data has been secured. The company is still investigating the incident.