Slickwraps Data Breach Exposing Financial and Customer Info

Slickwraps, a mobile device case retailer, has suffered a major data breach exposing employee resumes, personal customer information, API credentials, and more. Bleeping Computer reports:

In a post to Medium, a security researcher named Lynx states that in January 2020 he was able to gain full access to the Slickwraps web site using a path traversal vulnerability in an upload script used for case customizations. Using this access, Lynx stated that they were allegedly able to gain access to the resumes of employees, 9GB of personal customer photos, ZenDesk ticketing system, API credentials, and personal customer information such as hashed passwords, addresses, email addresses, phone numbers, and transactions.

After trying to report these breaches to Slickwraps, Lynx stated they were blocked multiple times even when stating they did not want a bounty, but rather for Slickwraps to disclose the data breach. “They had no interest in accepting security advice from me. They simply blocked and ignored me,” Lynx stated in the Medium post. This post has since been taken down by Medium, but is still available via archive.org. Since posting his Medium post, Lynx told BleepingComputer that another unauthorized user sent an email to 377,428 customers using Slickwraps’ ZenDesk help desk system. These emails begin with “If you’re reading this it’s too late, we have your data” and then link to the Lynx’s Medium post. […] In a statement posted to their Twitter account, Slickwraps CEO Jonathan Endicott has apologized for the data breach and promises to do better in the future. In the statement, though, Endicott says they first learned about this today, February 21st, while Lynx stated and showed screenshots of attempts to contact both Endicott via email and Slickwraps on Twitter prior to today.