Slickwraps Suffers Data Breach After Ignoring Warnings From Security Researcher

[MacRumors]

Slickwraps, a company that develops skins for Apple devices like the iPhone and Mac, yesterday suffered a data breach that saw customer info like names and addresses leaked.

News of the leak surfaced when hackers who got into the database sent out emails to Slickwraps' customer base of more than 370,000 users letting them know about Slickwraps' poor security.

Prior to the breach, Slickwraps was warned of the vulnerabilities in its site (linked to the create a skin feature) multiple times by a security researcher who goes by Lynx on Twitter, who has now deleted all of his tweets.

Lynx informed Slickwraps about the data breach on February 15, and attempted to get in touch with the company several times over the course of the last week, as outlined by an article shared on Medium that has now been suspended by Medium. Lynx had his emails ignored and was even blocked by Slickwraps on Twitter after attempting to inform the site of its security vulnerabilities.

Lynx's interactions with Slickwraps were not exactly polite and he was dealing with customer support staff that were clearly confused about what was going on based on the now-removed Medium article, but Slickwraps blatantly ignored multiple warnings about its poor security before the data breach. Lynx says that he did not send out the emails that were delivered to Slickwraps customers yesterday and that it was a third-party data breach that happened after his article was published, but with his Medium post suspended and all of his tweets deleted, he may be in some hot water for the public way that he disclosed the vulnerabilities in the site.

After the emails went out and customers became aware of the data breach, Slickwraps finally commented on the situation. An initial statement tweeted by Slickwraps (which is based in the United States) claimed to have just heard about the data breach on "February 22" when it was still February 21, which was inaccurate because Lynx documented his attempts to get in touch with the company on Twitter. Slickwraps later deleted the statement and tweeted a new one with the correct date. From Slickwraps' statement:

There is nothing we value higher than trust from our users. In fact, our entire business model is dependent on building long-term trust with customers that keep coming back.

We are reaching out to you because we've made a mistake in violation of that trust. On February 21st, we discovered information in some of our non-production databases was mistakenly made public via an exploit. During this time, the databases were accessed by an unauthorized party.

The information did not contain passwords or personal financial data.

The information did contain names, user emails, addresses. If you've ever checked out as "GUEST" none of your information was compromised.

Slickwraps goes on to say that it is "deeply sorry" for the oversight and promises to "learn from this mistake." It recommends that users reset their account passwords and be watchful for any phishing attempts.

Going forward, Slickwraps says that it will enhance its security processes, improve communication of security guidelines to Slickwraps employees, and make user-requested security features a "top priority." The company says that it is also partnering with a third-party cyber security firm to audit and improve security protocols.

Slickwraps' data breach demonstrates the importance of penetration testing for any site that deals with customer data. Data breaches are pretty much impossible to avoid these days, but customers can protect themselves somewhat by using unique passwords for every site and using two-factor authentication where appropriate.

Article Link: Slickwraps Suffers Data Breach After Ignoring Warnings From Security Researcher

 

[twistedpixel8]

Complacency regarding security in 2020 is inexcusable. If you behave this way with customer data you shouldn’t run a company.

 

[Will Tisdale 🎗]

I wonder on what grounds Medium ‘suspended’ that researchers post?

I guess that’s yet another reason not to use blogging services like that for anything remotely important.

Also, if the researcher has been ignored and then blocked as appears to have happened, then public disclosure is the only way. I don’t see an issue with it.

 

[jafd]

An important lesson and message companies like Slickwrap are conveying with this: if you find a vulnerability of a service on the internet, never ever disclose it to the owners. You will be deemed the Problem and your behind gets prosecuted to set an example. You make them look bad, you make them do extra work, you piss them off. You need to be silenced.

Instead, sit on that information quietly. Sell the exploit on the black market if you want to profit off it. Get wild, just try not to get caught. You'll be way safer that way.

 

[Will Tisdale 🎗]

An important lesson and message companies like Slickwrap are conveying with this: if you find a vulnerability of a service on the internet, never ever disclose it to the owners. You will be deemed the Problem and your behind gets prosecuted to set an example. You make them look bad, you make them do extra work, you piss them off. You need to be silenced.

Instead, sit on that information quietly. Sell the exploit on the black market if you want to profit off it. Get wild, just try not to get caught. You'll be way safer that way.

Yep, it’s a completely irresponsible way of dealing with a report. What’s so wrong or difficult about listening to the researcher, reproducing the issue and fixing it without being an arse about it?

Ignoring someone who is ultimately trying to help is very much a spoilt child mentality.

 

[Bkxmnr]

"Fat, drunk, and stupid is no way to go through life son." Ignoring advice from security experts falls under the stupid category.

 

[dyt1983]

[...] but customers can protect themselves somewhat by using unique passwords for every site and using two-factor authentication where appropriate.

Article Link: Slickwraps Suffers Data Breach After Ignoring Warnings From Security Researcher

Unique passwords and 2FA may help with preventing your acount from being hacked and other unrelated accounts being accessed, but it won't help to stop your data from being taken in a data breach.

 

[Dave-Z]

he may be in some hot water for the public way that he disclosed the vulnerabilities in the site.

He made attempts to alert the company, they outright refused to acknowledge him. He then disclosed it publicly. That's literally what every security researcher does.

 

[primarycolors]

If anyone doesn't know, SlickWraps already had an incredibly sleazy track record. Constant discounts from false prices (false advertising), failing to deliver on orders, failing to respond to customer service, alleged artwork theft... not to mention their ridiculous social media bots posting fake pro-SlickWraps BS on Reddit and mass downvoting anything against them. I unfortunately fell for the fake sales when I didn't know better and got my info in their system...

SlickWraps is a true train wreck company. I'm absolutely enraged yet not surprised by their poor handling of this.

Now, I'm really curious to see what charges they will face from GDPR violations.

 

[JPack]

It's a three-man operation focused on selling overpriced stickers.

I expect the owner of the company to be selling your personal data for money.

 

[Will Tisdale 🎗]

Unique passwords and 2FA may help with preventing your acount from being hacked and other unrelated accounts being accessed, but it won't help to stop your data from being taken in a data breach.

Exactly. 2FA is no substitute for data security at the server end. The only benefit you’ll get is that an attacker won’t be easily able to log in, but they’ll still have your data which will be useful in other attacks.

 

[jclo]

Unique passwords and 2FA may help with preventing your acount from being hacked and other unrelated accounts being accessed, but it won't help to stop your data from being taken in a data breach.

No, it won't. But it's about the best we can do.

 

[jclo]

He made attempts to alert the company, they outright refused to acknowledge him. He then disclosed it publicly. That's literally what every security researcher does.

Yeah, I'm speculating that he's being blamed in some way because his Medium post was deleted and he deleted all of his tweets. I agree that the public disclosure is standard practice. Whether he gave too many specifics about the vulnerabilities in his disclosure is not something I can judge because I'm not a security researcher (maybe someone else can weigh in here?), but he did say himself that the breaches that involved the emails going out to customers seemed to have happened after he shared the info, and he gave a very detailed accounting of the site's issues.

Archive of the Medium article: http://archive.is/yEIJT
His pen test results: https://files.catbox.moe/fxn9r2.pdf

 

[1rottenapple]

Complacency regarding security in 2020 is inexcusable. If you behave this way with customer data you shouldn’t run a company.

You know governs regulation should really arrest these aaaholes. It’s our data and they do not care. They only care when they get caught and say sorry. I got these emails as well and showed my full name and address! I’ll never order from them.

 

[Will Tisdale 🎗]

Yeah, I'm speculating that he's being blamed in some way because his Medium post was deleted and he deleted all of his tweets. I agree that the public disclosure is standard practice. Whether he gave too many specifics about the vulnerabilities in his disclosure is not something I can judge because I'm not a security researcher (maybe someone else can weigh in here?), but he did say himself that the breaches that involved the emails going out to customers seemed to have happened after he shared the info, and he gave a very detailed accounting of the site's issues.

Archive of the Medium article: http://archive.is/yEIJT
His pen test results: https://files.catbox.moe/fxn9r2.pdf

Thanks for the links - both an interesting read.
He did say that he believed someone else was in their systems prior to his full public disclosure post, which would make sense given the fact it was basically wide open for anyone.
All he’d done at that stage was highlight an issue via Twitter.
It’s interesting that SlickWraps we’re trying to cover their tracks though instead of dealing with the vulnerability, probably so they could lie about something, whether it be the breach itself or the data which was breached - although the cat was already out of the bag then so the act was somewhat futile.

 

[now i see it]

and in other news..
There's likely hundreds of thousands of other websites equally vulnerable and not secure.

 

[69Mustang]

and in other news..
There's likely hundreds of thousands of other websites equally vulnerable and not secure.

Maybe. But we can't do anything about it until they're exposed. We can do something about Slickwraps and their behavior. Express displeasure by not buying their products, and spreading the word about their negligence.

 

[atomic.flip]

For Christ’s sake. I deal with this b.s. in consulting with my clients all the time. No one wants to take out the trash till the dumpster is on fire. Meanwhile the morons spray alcoholic based fragrances to try and mask the scent till the f—-ing building burns down.

There should be criminal penalties associated with the theft of data in circumstances where an institution had prior knowledge of the potential.

Civil, financial and even brand marring threats have little to no impact on management. Take away their freedoms and suddenly everyone wants to do the right thing.

Closest thing we have to any such remedy is to go after the executives with a Fiduciary responsibility to the company and its shareholders... but that path is very rarely taken as it is very challenging to do so without entangling the rest of senior management as well.
[automerge]1582406101[/automerge]

Maybe. But we can't do anything about it until they're exposed. We can do something about Slickwraps and their behavior. Express displeasure by not buying their products, and spreading the word about their negligence.

In the finance world and in any industry with strict regulatory oversight routine audits put pressure on organizations to be at minimum extremely responsive and at best proactive.

 

[Donnation]

Slickwraps is a company of ******s. Their customer service is terrible and after putting up with it once and excusing it as just a bad experience, the second time I'd had enough. They are the worst to deal with and this serves them right.

 

[tony1984]

This sounds just like this company. I sent them a email concerning an order and they didn’t respond for nearly two weeks. That was only after I said hit them up on FB and they blocked me.

 

[johnparjr]

I got that email had my address and an old phone number kind of disturbing

 

[Packers1958]

I won't do business with them ever again. Incompetent companies like that should go out of business. I hope they do.

 

[ghanwani]

I avoid buying from companies that do not have a check out as guest option, but I guess that still doesn’t guarantee that my info can’t be stolen from a company I bought something from.

 

[jafd]

It's a three-man operation focused on selling overpriced stickers.

I expect the owner of the company to be selling your personal data for money.

Given that the data was just lying there for any takers, they failed even at that.

 

[Berserker-UK]

Whether he gave too many specifics about the vulnerabilities in his disclosure is not something I can judge because I'm not a security researcher (maybe someone else can weigh in here?)

I'm not either, but there was more than enough in the pen test information for me to understand how he got in. It's a very common technique, and one that's very easy to avoid with proper site permissions, irrespective of ignoring the warning in the code containing the exploit (which was also easy to fix). Full disclosure - I'm a software developer and have had some security training.