Ummm, if you are a Slickwraps customer, you might see an email arrive this morning that claims the company has been hacked. The email might not be lying to you either, as this does not appear to be a promotion or some sort of fun exercise. This may be related to a massive security breach.
An email titled “ATTN: ALL SLICKWRAPS CUSTOMERS” is showing up in inboxes with the word “Slickwraps” changed to “SLICKHACKED.” The email then goes on to say something close to the following:
if you’re reading this it’s too late. we have your data.
here’s where you live:
how do we have this data? we read this: https://medium.com/@lynx0x00/i-hacked-slickwraps-this-is-how-8b0806358fbb
what are we doing with your data? not much (that’s good!)
we’re just using 377428 emails from their customer database to send this mass email (that’s bad!)
because right now, ANYBODY can do what we just did, and they might do something really shitty with the same data we took
The email goes on from there to suggest you should contact Slickwraps to let them know about the breach and possibly contact your local authorities. They suggest you do that second part because of the story linked in that Medium article, where @Lynx0x00, who discovered the vulnerability, claims to have given Slickwraps proper notification and received little in response. I should note that the emails being sent are not from @Lynx0x00 and are instead from a 3rd party.
Here’s what you need to know.
- Slickwraps apparently has (or had) at least one really horrible security vulnerability. There may be even more. However, this single vulnerability allowed @Lynx0x00 to access almost every single detail about the company (revenue and sales, all of your data, payment APIs, and their Zendesk support account). It gave them so much access, they claim that they could have deleted the entire company’s existence if they wanted to. That’s the level of access they gained.
- Because Slickwraps failed to respond to them, blocked them, and tried to allegedly cover the tracks of this breach without notifying anyone, @Lynx0x00 has posted the entire situation to that Medium post above. You should read it here.
- At this time, we don’t know who else has accessed this data or if Slickwraps has buttoned things up. According to email screenshots flooding Twitter, this appears to be really bad.
- I’m in shock at how bad this is.
We tried to reach out to Slickwraps for comment, but they apparently offer zero way to contact them or removed all ways after this story broke on Twitter. We’ll do our best to update this.
- UPDATE 1 (2/21): We reached out to the email address that Slickwraps uses when they send promo emails, which is the one that customers were told to respond to, and it has been disabled.
- UPDATE 2 (2/21): You might want to avoid the Slickwraps site.
3- It seems as other people have also caught on and started to mess with it. I suggest to not visit their website as literally anyone has access to their systems and could upload malicious code to steal credentials, or whatever they might think of.
Stay safe guys.
— Lynx (@Lynx0x00) February 21, 2020
- UPDATE 3 (2/21): Slickwraps just emailed customers, confirming that their databases were “accessed by an unauthorized party.” They confirm that a lot of customer information was accessed (names, user emails, addresses), but claim that the information “did not contain passwords or personal financial data.”
- Their response also indicates that they were only informed of this breach on February 22 (it’s still February 21 in the US) and that they then closed their databases off immediately. That, as far as we can tell from the story that @Lynx0x00 posted, is not based in truth. Slickwraps was notified days ago and they proceeded to block the person who found the vulnerability rather than confront it.
- Slickwraps said that it will now partner with a third-party cyber security firm to audit and improve security protocols.
- They are recommending that you reset your passwords.
- Oh, they are super sorry too.