Slickwraps customers' private data becomes at risk of exposure
A cybersecurity specialist named Lynx has revealed that the systems belonging to Slickwraps are vulnerable to unauthorized access. The company did not respond to the findings at first so the researcher went public with his discovery.
Since Slickwraps is a firm that is manufacturing mobile phone device cases, Lynx claims that in January 2020 he discovered a path traversal flaw in an upload script employed for case creation that allowed him to access the systems and view private details some of which include customer data.
The researcher was able to access the CVs of employees, photographs that were sent by people and contained even 9GB of space, API credential data, the ZenDesk ticketing service, and personally identifiable information such as the customers' residence addresses, emails, mobile phone numbers, payment information, and coded passwords.
Random emails appeared informing users about the breach incident and encouraging victims to tell Slickwraps their negative feelings
Lynx felt a little bit confused when Slickwraps did not want to respond to his findings and the researcher got blocked many times. However, the specialist claims that all he wanted was the disclosure of the breach and not a monetary reward. This type of Slickwraps's reaction led to a random person pushing emails about the leaked data to almost 400K users. This random user had managed to employ the ZenDesk service for his/her purpose.
The email claims that Slickwraps has been hacked and the data has been leaked, so the sender is orientated to inform 377,428 victims what has happened. It encourages the people who have suffered from the data breach to respond to the email, tell the company how mad they are, and contact local authorities regarding this event.
Lynx also stated that he had written a Medium post in which he explained that Slickwraps has ignored and blocked him and this might have been the push for the random user to start delivering those email messages. However, Lynx thought that this type of vulnerability in the company's system is a serious one and people have the right to know about it.
Even though the post about the data leak was taken down on Medium, the flaw in Slickwraps's website still exists. All people who have been using its services are encouraged to change their account passwords. Furthermore, Lynx has informed the Have I Been Pwned data breach service about this attempt and is hoping that the potential victims will be able to check if their email addresses got leaked if the data of this breach will be added to the Have I Been Pwned system.
Slickwraps releases a report on Twitter where they apologize for the incident
Finally, Slickwraps has released some words on the incident and claims to have informed all the potential victims about this breaching activity. The company has updated a post on Twitter saying that they made a big mistake by violating the trust of their customers and claims that they have secured the vulnerable information on February 21st, 2020. Furthermore, the firm apologizes for this incident and promises to make some improvements:
We are deeply sorry this oversight. We promise to learn from this mistake and will make improvements going forward. This will include enhancing our security processes, improving communication of security guidelines to all Slickwraps employees, and making more of our user-requested security features our top priority in the coming months. We are also partnering with a third-party cyber security firm to audit and improve our security protocols.