Slickwraps has suffered a data breach after a security researcher was able to access their systems and after receiving no response to emails, publicly disclosed how they gained access to the site and the data that was exposed.

Slickwraps is a mobile device case retailer who sells a large assortment of premade cases and custom cases from images uploaded by customers.

In a post to Medium, a security researcher named Lynx states that in January 2020 he was able to gain full access to the Slickwraps web site using a path traversal vulnerability in an upload script used for case customizations.

Using this access, Lynx stated that they were allegedly able to gain access to the resumes of employees, 9GB of personal customer photos, ZenDesk ticketing system, API credentials, and personal customer information such as hashed passwords, addresses, email addresses, phone numbers, and transactions.

Screenshot of Slickwraps payment gateway

After trying to report these breaches to Slickwraps, Lynx stated they were blocked multiple times even when stating they did not want a bounty, but rather for Slickwraps to disclose the data breach.

"They had no interest in accepting security advice from me. They simply blocked and ignored me," Lynx stated in the Medium post. This post has since been taken down by Medium, but is still available via archive.org.

Since posting his Medium post, Lynx told BleepingComputer that another unauthorized user sent an email to 377,428 customers using Slickwraps' ZenDesk help desk system.

These emails begin with "If you're reading this it's too late, we have your data" and then link to the Lynx's Medium post.

Some of these customers have posted images of the image to Twitter as seen below.

Email to SlickWrap customers

When BleepingComputer asked Lynx if he knew who was sending out the emails, he told us that it was not them, but they had seen traces of other unauthorized users in Slickwraps' web site as well.

"I saw some activity during my research, maybe they're the same people who sent out the emails? No clue to be honest," Lynx told BleepingComputer.

When we asked why they continued to look for more vulnerabilities instead of simply contacting Slickwraps when they first gained access we were told:

"As a white hat, we want to see how far we can go so we can generate a full report. No point in doing research and reporting the first vulnerability when there's still 10 others."

While Lynx told BleepingComputer that they were always concerned about legal repercussions after performing penetration testing, they felt that due to the severity of the data breach, it needed to be publicly disclosed.

"Companies know that I never intend to harm them and sometimes even offer bounties. This one was different in that sense that they blocked me and did not care about their customers at all. Since this is a major breach, and I exhausted all my other options to contact them, I felt the need to disclose this publicly, in hopes that they fix this asap."

Even with the breach disclosed in the Medium post and technical details having been posted, Lynx told us that the vulnerabilities still exist in the web site and that they still have access.

For those who have used Slickwraps in the past, Lynx has passed along the customer info to Troy Hunt of the Have I Been Pwned data breach notification service.

It is not known if Hunt will add this database to his system, but if he does, customers will be able to check if their email addresses are included in the database provided by Lynx.

For now, it is strongly suggested that all users change their password at Slickwraps and to use a unique password at all web sites that they visit.

Slickwraps releases statement

In a statement posted to their Twitter account, Slickwraps CEO Jonathan Endicott has apologized for the data breach and promises to do better in the future.

Slickwraps Users, There is nothing we value higher than trust from our users. In fact, our entire business model is dependent on building long-term trust with customers that keep coming back. We are reaching out t0 you because we've made a mistake in violation of that trust. On February 21st, we discovered information in some of our production databases was mistakenly made public via an exploit. During this time, the databases were accessed by an unauthorized party. The information did not contain passwords or personal financial data. The information did contain names, user emails, addresses. If you ever checked out as "GUEST" none of your information was compromised. If you were a user with us bef0re we secured this information on February 21st, we regretfully write this email as a notification that some of your information was included in these databases. Upon finding out about the public user data, we took immediate action to secure it by closing any database in question. As an additional security measure, we recommend that you reset your Slickwraps account password. Again, no passwords were compromised, but we recommend this as a standard safety measure. Finally, please be watchful for any phishing attempts. We are deeply sorry this oversight. We promise to learn from this mistake and will make improvements going forward. This will include enhancing our security processes, improving communication of security guidelines to all Slickwraps employees, and making more of our user-requested security features our top priority in the coming months. We are also partnering with a third-party cyber security firm to audit and improve our security protocols. More details will follow and we appreciate your patience during this process. Sincerely, Jonathan Endicott CEO @ Slickwraps

In the statement, though, Endicott says they first learned about this today, February 21st, while Lynx stated and showed screenshots of attempts to contact both Endicott via email and Slickwraps on Twitter prior to today

Email to Endicott disclosing breach

BleepingComputer has once again reached out to Slickwraps for further information.

Update 2/21/20 2:56PM EST: Added statement from Slickwraps