The mobile device case retailer has left its data exposed after a security researcher was able to access their systems.
Security researcher, Lynx, announced in a post to Medium, that he had gained full access in January 2020 to the Slickwraps website via a vulnerability.
Lynx was allegedly able to gain access to 9GB of customer photos, resumes of employees, ZenDesk ticketing system, API credentials, and personal customer information including addresses, email addresses, phone numbers, hashed passwords and transactions.
After attempting to report Slickwraps about the breach, Lynx stated that they had been blocked.
In a Medium post, which has since been taken down, Lynx said: “They had no interest in accepting security advice from me. They simply blocked and ignored me.”
“Companies know that I never intend to harm them and sometimes even offer bounties. This one was different in that sense that they blocked me and did not care about their customers at all. Since this is a major breach, and I exhausted all my other options to contact them, I felt the need to disclose this publicly, in hopes that they fix this asap.”
Since the post, an unauthorised user has sent an email to 377,428 customer’s utilising Slickwraps’ ZenDesk help desk system, Lynx told BleepingComputer.
The emails begin with: “If you’re reading this it’s too late, we have your data.”
Many customers have taken to Twitter, posting images of the email. It remains unknown as to who sent out the emails.
After gaining access, Lynx continued to look for more vulnerabilities, explaining to BleepingComputer “As a white hat, we want to see how far we can go so we can generate a full report. No point in doing research and reporting the first vulnerability when there’s still 10 others.”
Slickwraps CEO Jonathan Endicott released a statement on Twitter, explaining information “in some of our production databases was mistakenly made public via an exploit.”
Endicott stressed that the information did not contain passwords of personal financial data.
“Upon finding out about the public user data, we took immediate action to secure it by closing any database in question,” Endicott added.
“As an additional security measure, we recommend that you reset your Slickwraps account password. Again, no passwords were compromised, but we recommend this as a standard safety measure. Finally, please be watchful for any phishing attempts.”
Lynx has passed along the customer information to Troy Hunt of the Have I been Pwned data breach notification service.