Pierluigi Paganini February 24, 2020

Slickwraps has disclosed a data breach that impacted over 850,000 user accounts, data were accidentally exposed due to security vulnerabilities.

Slickwraps is an online store that offers for sale skins mobile devices, laptops, smartphones, tablets, and gaming consoles.

The data leak was disclosed last week, on February 21 the company that customer records were accidentally exposed online via an exploit.

Exposed records include names, email addresses, physical addresses, phone numbers, and purchase histories. 

“On February 21st, we discovered customer data in some of our non-production databases was mistakenly made public via an exploit. During this time, the databases were accessed by an unauthorized party.” reads the security update published by the company.

The company confirmed that records were accessed by an unauthorized party, but pointed out that exposed data information did not contain passwords or personal financial data.

Data belonging to users that checked out as guests were not exposed. 

“The information did contain names, user emails, addresses If you ever checked out as “GUEST” none of your information was compromised.” continues the update.

“Upon finding out about the public user data, we took immediate action to secure it by closing any databases in question”

Even if no passwords were compromised, the company recommends users reset their password and remain vigilant for any phishing attempts.

On February 21, an individual claiming to be the attacker emailed customers impacted in the breach.

The message sent by the attacker included a part of the exposed user data and suggested customers contact the company.

A cyber security expert that goes online with the moniker of Lynx0x00 published a blog post detailing his failed attempts of reporting the vulnerability on Slickwraps’ servers to the company.

“A person by the name of Lynx0x00 positioning himself as a cybersecurity analyst posted a blog last Friday detailing his unfavorable experience “reporting” a rather severe and easy to exploit vulnerability on Slickwraps’ servers.” reported Slashgear. Lynx0x00’s Medium and Twitter accounts have mysteriously vanished but, fortunately, the Internet never truly forgets. That and enough eyes have seen and screen-capped the posts for posterity.”

After the Slickwraps was made aware of the incident via Twitter, the popular cyber security expert Troy Hunt was contacted to verify the attacker’s announcement. The expert reported the incident to the FBI, the company identified the exploit and secured the vulnerable servers exposing the customers’ data. 

Below the timeline of the security breach:

• After receiving said message, contact was made to Troy Hunt @troyhunt on February 20th, 2020, to verify the users’ authenticity.
• February 20th, 2020 – FBI were notified of the possible threat, and our security team began looking into a potential breach.
• February 21st, 2020 – The attacker has emailed customers connected to the breach. Has publicly stated no data was stored and all deleted.
• February 21st, 2020 – FBI has opened an investigation with DA approval.
• February 21st, 2020 – The exploit was repaired and all data is secured. We are currently working with a 3rd party cybersecurity team for continued analysis.

The exposed records have been added to Have I Been Pwned data breach notification service operated by Hunt. 

Pierluigi Paganini

(SecurityAffairs – hacking, Slickwraps )

[adrotate banner=”5″]

[adrotate banner=”13″]