Many companies have fell foul of hackers in recents, mostly due to poor secuirty measures. It seems that device skin company slickwraps is the latest to have been hacked. Here at Ausdroid we have used Slickwraps quite a bit so we were quite surprised this morning to see such a big company had been a bit footloose and fancy-free with their databases.
Security researcher “Lynx” found a way to insert files into the root directors of the Slickwraps server. He then claimed to have been able to access admin details, customer billing, shipping addresses, phone numbers, social media accounts and more. He informed Slickwraps of the hack via Twitter which is very unconventional:
Looks like your customers already aren't happy. This isn't gonna make it any better… pic.twitter.com/UQNwImpMSN
— Lynx (@Lynx0x00) February 16, 2020
So much for customer care… Guess you won't respond to my email either? There's only one option left then… Going public soon. pic.twitter.com/dW9bUfZ8JJ
— Lynx (@Lynx0x00) February 16, 2020
Well, can't say I didn't try…
F— Lynx (@Lynx0x00) February 16, 2020
After the Tweet others looked into the same vulnerability and more of the database was accessed. Many customers, including one former Ausdroider, received an email from one hacking group using Slickwraps’ own contact email to tell them they had been exposed. In the email it not only mentions his name but also his address. There is nothing nefarious about the email (or anything else, yet), it seems to be more to inform people their details have been leaked and what to do about it now:
In a failing Slickwraps failed to respond to the researcher, so he went public with details of his hack, posting it on Medium. Finally Slickwraps have come clean with a fairly honest mea culpa:
While it is good to see Slickwraps come clean on the hack it is disappointing it happened in the first place. Hopefully they fix up their issues quick smart as they have a great product but customers are unlikely to trust them until it is demonstrated as fixed.
This is yet another reminder for everyone to use unique passwords at all of their sites and a password manager such as LastPass is basically essential in this day and age. If you had a Slickwraps account we suggest you go and check what the password was and change it. If it was not unique head to the other sites you used it and change your password there too.