Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Slickwraps Discloses Data Breach

Slickwraps, a company that provides protection solutions and accessories for phones, computers and other devices, has revealed that user data was compromised recently after a third party accessed an unprotected database left accessible from the Internet.

Slickwraps, a company that provides protection solutions and accessories for phones, computers and other devices, has revealed that user data was compromised recently after a third party accessed an unprotected database left accessible from the Internet.

The Kansas-based company says user names, email addresses, and physical addresses were included in the databases, although no passwords or financial details were stored there.

According to Slickwraps, the incident impacted “some of our non-production databases,” all of which were immediately secured after learning of the exposure. However, the company recommends that users reset their passwords and be wary of phishing emails.

In a breach notification on their website, the company expressed regret for the incident and reassured users that it was planning several security improvements.

The company did not provide specific information on the number of impacted users, but Troy Hunt, founder of data breach notification service Have I Been Pwned, says that 858,000 unique email addresses were compromised in the data breach.

“Data also included names, physical addresses, phone numbers and purchase histories,” Hunt posted on Twitter.

In their data breach notification, Slickwraps said it became aware of the issue after being contacted by an individual via Twitter, and that it contacted Troy Hunt on February 20 to verify the authenticity of the leaked data.

That individual is a security researcher going by the online handle of Lynx, who claims in a Medium post (now removed) that he attempted to contact Slickwraps multiple times regarding the breach, but that the company blocked his account on Twitter — the researcher’s account has been removed.

Advertisement. Scroll to continue reading.

According to Lynx, a vulnerability on Slickwraps’ website provided him with access to their server, where he could “achieve remote code execution and unlock the ability to execute shell commands.”

The researcher claimed he had gained access to “their entire 17GB MySQL database,” containing Slickwraps admin account details, customer data, and API credentials for MadMimi, PayPal Payments Pro, Braintree, ShipHero, Zendesk, Facebook, Twitter, and Instagram.

The researcher said he also gained full access to Slickwraps’ corporate Slack, account balances, and transaction logs for their payment gateways. Moreover, through the administrator panel, he gained “full control over their content management system.”

Lynx first tried to contact the company on February 16, via Twitter, but received no response following multiple attempts. The researcher also uploaded a proof of concept .txt file to their server and posted on Twitter about it, which resulted in Slickwraps blocking his account.

The company then started resetting passwords and changing API keys, but the researcher claimed he still had code execution access three days after the initial contact attempt. Lynx then informed Hunt of the data breach.

Following the researcher’s post on Medium, other white hat hackers too managed to access Slickwraps’ servers using the same vulnerability. Using their access to user emails, they apparently sent a mass message to 377,428 of the company’s customers, informing them of the breach.

Slickwraps, which has contacted the FBI on the issue, says the vulnerability was patched on February 21, and that all data has been secured. The company is still investigating the incident.

Related: Japanese Electronics Giant NEC Discloses Old Data Breach

Related: P&N Bank Data Breach Exposes Trove of User Data

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...