Slickwraps, a store for creating custom “skins” for mobile devices, consoles and more have recently alerted customers to a data breach. After finding a path traversal vulnerability with the image uploader used for designing skins, Twitter user @Lynx0x00 (whose account seems to have been deleted at the time of this writing) claimed that he was able to gain full access to the Slickwraps site. Lynx0x00 had full access to employee resumes, photos uploaded by customers, the Zendesk customer support system, API credentials and personal customer information such as hashed passwords, shipping addresses, and transaction histories. When trying to report the vulnerability to Slickwraps, Lynx0x00 claimed that the company ignored multiple attempts to reach out and instead blocked him. To make matters worse, shortly after publishing a blog post on Medium about the details of the vulnerability, an unknown actor mass emailed Slickwrap customers with an ominous-looking message that linked to the blog post by the researcher. The email contained an edited version of the Slickwraps logo with the word “HACKED” over it and started with the message “If you’re reading this it’s too late, we have your data.” On February 21st, Slickwraps notified customers and posted a public statement on their Twitter account to acknowledge the breach.
Although the breach did not include plain-text passwords, customers are still advised to change passwords on Slickwraps’ website and anywhere else that same password may have been re-used. Any breach that gives access to email addresses also comes with the risk of new phishing attempts as well, so be cautious of links from unknown senders. Companies that operate public-facing websites should consider implementing a vulnerability disclosure program with clear guidelines for researchers to responsibly report problems. It is also advisable to monitor servers for signs of unusual behaviors and file access patterns that may indicate a breach.