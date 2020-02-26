Slickwraps, which manufactures vinyl masks for phones, tablets and other electronic products, announced last week that it suffered a data breach. The announcement came after many customers received an email of Slickwraps that was apparently sent by a hacker who claims to have stolen customer data.

The unusual thing about this case is how the hacker apparently violated Slickwraps systems: not discovering the vulnerability on his own, but reading a Medium publication now removed from an anonymous pirate partner. The conclusion is that Slickwraps may have had bad comic security, which left him open to violations like this and with flat feet when it came to responding to any concerns that arose.

%MINIFYHTML428db0dc3bbed91e217648ff82f28cd211% %MINIFYHTML428db0dc3bbed91e217648ff82f28cd212%

In his blog post, Slickwraps said that customer data in some of the databases not related to the company's production "were made public by mistake through an exploit,quot; and that those databases were "accessed. by an unauthorized party. " Slickwraps says that the information accessed included names, emails and addresses, but did not include passwords or personal financial data. If you ever retired as a guest, none of your personal information was compromised, according to Slickwraps.

The company recommends that users change their passwords for their Slickwraps account. He also says he will make security improvements in the future:

This will include improving our security processes, improving the communication of security guidelines to all Slickwraps employees and making more of our security functions requested by users our top priority in the coming months. We are also partnering with a third-party cybersecurity company to audit and improve our security protocols.

Yesterday, Slickwraps CEO published a Solemn video of apologies on Twitter, where he said the company has already started working on a new website with a new personalization page for the phone's case that it intends to launch this year.

The Slickwraps blog post also mentions that an "attacker,quot; sent an email to customers on Friday, which appears to be the pirated email from [email protected] Some Twitter users shared pirated email, which apparently was sent to 377,428 email addresses in the company's records.

The person who sent this email said he learned how to access Slickwraps data by reading a Medium post now deleted (archived here) by a person using the alias Lynx0x00 in Medium and in his now nonexistent twitter account. Lynx0x00, whose biography on Twitter in January read: "Security researcher, White Hat Hacker, Not Ax," said the personalization page on the Slickwraps phone case had a vulnerability that allowed someone to "upload any file to any location. in the top directory of your server. "Lynx0x00 said they used that vulnerability to access:

Resumes of current and past SlickWraps employees

9GB of customer photos loaded in the box customization tool

All details of the SlickWraps administrator account, including password hashes

All billing addresses of current and historical SlickWraps customers

All current and historical SlickWraps customer shipping addresses

All email addresses of current and historical SlickWraps customers

All phone numbers of current and historical SlickWraps customers

All current and historical SlickWraps customer transaction history

The company's content management system.

In his blog post, Lynx0x00 said they tried to contact Slickwraps by tagging the company in public tweets and sending emails and Twitter emails to inform the company about the vulnerabilities.

This part of the story gets a bit weird. At one point, @Slickwraps had blocked Lynx0x00, but @SlickwrapsHelp finally contacted Lynx0x00 via Twitter DM, which led to a conversation in which Lynx0x00 asked to be unlocked:

Image: Lynx0x00

Lynx0x00 then sent a long DM to @Slickwraps threatening to make the vulnerabilities public if Slickwraps didn't do it himself:

Image: Lynx0x00

@Slickwraps then claimed that the account was managed by a third party:

Image: Lynx0x00

Lynx0x00 then sent an email to the CEO of Slickwraps to tell him to check his Twitter DMs. It seems that Lynx0x00 found the CEO's email when reviewing company records accessed through Slickwraps vulnerabilities. After sending the email, Lynx0x00 was blocked by @Slickwraps once more "in three minutes."

At this time, it is not clear who sent the emails that were sent to Slickwraps customers and who Lynx0x00 is, nor if the two are connected in any way. Lynx0x00 said in his blog post that "they might not be the only one,quot; in the Slickwraps databases. The edge He has contacted an email that appears to be associated with Lynx0x00 to request comments.

In his blog post, Slickwraps says that the exploit has been fixed, that "all data is protected,quot; and that he is working with a "third-party cybersecurity team,quot; to analyze the situation. The FBI also opened an investigation, the company says.

The edge He contacted [email protected] for comments, but I still haven't received an answer. The phone number on the company's press contact page is out of order, and the link on that page to send a press email link to a blank email address.