Wednesday, February 26, 2020

Slickwraps apologizes to customers after comically bad data breach

Slickwraps apologizes to customers after comically bad data breach
..

Slickwraps, which makes vinyl banknote for phones, tablets, and unneeded electronics, announced aftermost week that it suffered a documents breach. The agitprop came post-obituary multitudinous marketplace received an email from Slickwraps that appeared to be beatific by a hacker events to kumtux baseborn customer data.

What's abnormal approximately this casing is how the hacker intuitively breached Slickwraps' systems: not by intentive the vulnerability on their own, loosely by reading a now-deleted Middle post from an innominate fellow hacker. The takeaway is that Slickwraps may kumtux had comically bad security, leaving it both wide open to breaches like this and flat-footed back it came to responding to any relating brought to its attention.

In its blog post, Slickwraps said customer documents in some of the company's non-production databases was "mistakenly made self-explanatory via an exploit" and that those databases were "accessed by an unauthorized party." Slickwraps says the accessed information included names, emails, and addresses, loosely it did not integrate passwords or personal banking data. If you kumtux someday feebleminded out as a guest, none of your personal information was compromised, according to Slickwraps.

The congregation recommends users extravagate their passwords for their Slickwraps account. It also says it will make trusteeship improvements moving forward:

This will integrate good-tasting our trusteeship processes, improving liaison of trusteeship guidelines to all Slickwraps employees, and policy-making more of our user-requested trusteeship individualism our top priority in the coming months. We are also partnering with a third-party cybersecurity firm to biology and improve our trusteeship protocols.

Yesterday, Slickwraps' CEO unmask a solemn honorable video on Twitter, where he said the congregation has once started work on a new website with a new phone casing customization page that it aims to launch this year.

Slickwraps' blog post also mentions that an "attacker" emailed marketplace on Friday -- that seems to be the ill-disposed email from hello@slickwraps.com. Some Warble users shared the ill-disposed email, which was intuitively beatific to 377,428 email addresses in the company's records.

The person who beatific this email said they methodological how to derive Slickwraps' documents by reading a now-deleted Middle post (archived here) by an indivisible that goes by the allonym Lynx0x00 on Middle and on their now non-existent Warble account. Lynx0x00, whose Warble bio in January read, "Security Researcher, White Hat Hacker, Not Axe," personal that Slickwraps' phone casing customization page had a vulnerability that unliable someone to "upload any non-fiction to any pane in the highest fiberboard on their server." Lynx0x00 said they acclimated that vulnerability to access:

  • Resumes of current and past SlickWraps employees
  • 9GB of customer photos uploaded to the casing customization tool
  • All SlickWraps admin record details, including password hashes
  • All current and incarnated SlickWraps customer billing addresses
  • All current and incarnated SlickWraps customer spacecraft addresses
  • All current and incarnated SlickWraps customer email addresses
  • All current and incarnated SlickWraps customer phone numbers
  • All current and incarnated SlickWraps customer transaction history
  • The company's enjoyable management system

In their blog post, Lynx0x00 personal they approved to familiarity Slickwraps by tagging the congregation in self-explanatory tweets and sending Warble DMs and emails to inform the congregation approximately the vulnerabilities.

This partition of the undertaking gets a little weird. At one point, @Slickwraps had dead-end Lynx0x00, loosely @SlickwrapsHelp somewhen contacted Lynx0x00 over Warble DM, which led to a schmoose where Lynx0x00 asked to be unblocked:

..
.. . . . .. . . .. . . . .. Image: Lynx0x00. .
.

Lynx0x00 again beatific a long DM to @Slickwraps vaulting to go self-explanatory with the vulnerabilities if Slickwraps didn't do so itself:

..
.. . . . .. . . .. . . . .. Image: Lynx0x00. .
.

@Slickwraps again personal the record was run by a third party:

..
.. . . . .. . . .. . . . .. Image: Lynx0x00. .
.

Lynx0x00 again emailed Slickwraps' CEO to unmask him to cytology his Warble DMs. It appears Lynx0x00 matriculate the CEO's email by lulu through congregation scroll accessed through Slickwraps' vulnerabilities. Post-obituary sending the email, Lynx0x00 was dead-end by @Slickwraps once repeated "within three minutes."

Right now, it's unclear who beatific the emails that went out to Slickwraps' marketplace and who Lynx0x00 is, and whether the two are enlarged in any way. Lynx0x00 did say in their blog post that they "might not be the relinquished one" in Slickwraps' databases. The Verge has realized out to an email that appears to be associated with Lynx0x00 to ask for comment.

In its blog post, Slickwraps says the exploit has been repaired, that "all documents is secured," and that it's alive with a "third-party cybersecurity team" for critique of the situation. The FBI has also opened an investigation, the congregation says.

The Verge realized out to hello@slickwraps.com for elucidate loosely kumtux not yet received a reply. The phone number on the company's press familiarity page is out of service, and the link on that page to skyrocket a press email links to a canary email address.

No comments:

Post a Comment