Slickwraps Suffers Data Breach After Ignoring Warnings From Security Researcher

Slickwraps, a company that develops skins for Apple devices like the iPhone and Mac, yesterday suffered a data breach that saw customer info like names and addresses leaked.

News of the leak surfaced when hackers who got into the database sent out emails to Slickwraps' customer base of more than 370,000 users letting them know about Slickwraps' poor security.

slickwrapsdatabreachemail
Prior to the breach, Slickwraps was warned of the vulnerabilities in its site (linked to the create a skin feature) multiple times by a security researcher who goes by Lynx on Twitter, who has now deleted all of his tweets.

Lynx informed Slickwraps about the data breach on February 15, and attempted to get in touch with the company several times over the course of the last week, as outlined by an article shared on Medium that has now been suspended by Medium. Lynx had his emails ignored and was even blocked by Slickwraps on Twitter after attempting to inform the site of its security vulnerabilities.

Lynx's interactions with Slickwraps were not exactly polite and he was dealing with customer support staff that were clearly confused about what was going on based on the now-removed Medium article, but Slickwraps blatantly ignored multiple warnings about its poor security before the data breach. Lynx says that he did not send out the emails that were delivered to Slickwraps customers yesterday and that it was a third-party data breach that happened after his article was published, but with his Medium post suspended and all of his tweets deleted, he may be in some hot water for the public way that he disclosed the vulnerabilities in the site.

After the emails went out and customers became aware of the data breach, Slickwraps finally commented on the situation. An initial statement tweeted by Slickwraps (which is based in the United States) claimed to have just heard about the data breach on "February 22" when it was still February 21, which was inaccurate because Lynx documented his attempts to get in touch with the company on Twitter. Slickwraps later deleted the statement and tweeted a new one with the correct date. From Slickwraps' statement:

There is nothing we value higher than trust from our users. In fact, our entire business model is dependent on building long-term trust with customers that keep coming back.

We are reaching out to you because we've made a mistake in violation of that trust. On February 21st, we discovered information in some of our non-production databases was mistakenly made public via an exploit. During this time, the databases were accessed by an unauthorized party.

The information did not contain passwords or personal financial data.

The information did contain names, user emails, addresses. If you've ever checked out as "GUEST" none of your information was compromised.

Slickwraps goes on to say that it is "deeply sorry" for the oversight and promises to "learn from this mistake." It recommends that users reset their account passwords and be watchful for any phishing attempts.

Going forward, Slickwraps says that it will enhance its security processes, improve communication of security guidelines to Slickwraps employees, and make user-requested security features a "top priority." The company says that it is also partnering with a third-party cyber security firm to audit and improve security protocols.

Slickwraps' data breach demonstrates the importance of penetration testing for any site that deals with customer data. Data breaches are pretty much impossible to avoid these days, but customers can protect themselves somewhat by using unique passwords for every site and using two-factor authentication where appropriate.

Top Rated Comments

twistedpixel8 Avatar
15 months ago
Complacency regarding security in 2020 is inexcusable. If you behave this way with customer data you shouldn’t run a company.
Score: 50 Votes (Like | Disagree)
Dave-Z Avatar
15 months ago

he may be in some hot water for the public way that he disclosed the vulnerabilities in the site.
He made attempts to alert the company, they outright refused to acknowledge him. He then disclosed it publicly. That's literally what every security researcher does.
Score: 24 Votes (Like | Disagree)
primarycolors Avatar
15 months ago
If anyone doesn't know, SlickWraps already had an incredibly sleazy track record. Constant discounts from false prices (false advertising), failing to deliver on orders, failing to respond to customer service, alleged artwork theft... not to mention their ridiculous social media bots posting fake pro-SlickWraps BS on Reddit and mass downvoting anything against them. I unfortunately fell for the fake sales when I didn't know better and got my info in their system...

SlickWraps is a true train wreck company. I'm absolutely enraged yet not surprised by their poor handling of this.

Now, I'm really curious to see what charges they will face from GDPR violations.
Score: 17 Votes (Like | Disagree)
Will Tisdale ? Avatar
15 months ago
I wonder on what grounds Medium ‘suspended’ that researchers post?

I guess that’s yet another reason not to use blogging services like that for anything remotely important.

Also, if the researcher has been ignored and then blocked as appears to have happened, then public disclosure is the only way. I don’t see an issue with it.
Score: 16 Votes (Like | Disagree)
Bkxmnr Avatar
15 months ago
"Fat, drunk, and stupid is no way to go through life son." Ignoring advice from security experts falls under the stupid category.
Score: 16 Votes (Like | Disagree)
Will Tisdale ? Avatar
15 months ago

An important lesson and message companies like Slickwrap are conveying with this: if you find a vulnerability of a service on the internet, never ever disclose it to the owners. You will be deemed the Problem and your behind gets prosecuted to set an example. You make them look bad, you make them do extra work, you piss them off. You need to be silenced.

Instead, sit on that information quietly. Sell the exploit on the black market if you want to profit off it. Get wild, just try not to get caught. You'll be way safer that way.
Yep, it’s a completely irresponsible way of dealing with a report. What’s so wrong or difficult about listening to the researcher, reproducing the issue and fixing it without being an arse about it?

Ignoring someone who is ultimately trying to help is very much a spoilt child mentality.
Score: 13 Votes (Like | Disagree)

Top Stories

apple event spring loaded

Apple's 'Spring Loaded' Event Officially Announced for Tuesday, April 20

Tuesday April 13, 2021 9:04 am PDT by
Following an overnight leak by Siri, Apple today officially announced that it will be holding a special "Spring Loaded" event on Tuesday, April 20 at 10:00 a.m. Pacific Time at the Steve Jobs Theater on the Apple Park campus in Cupertino, California. As with all of Apple's 2020 events, the April 2021 event will be a digital-only gathering with no members of the media invited to attend in...
iphone12cameras

Kuo: 2022 iPhones to Feature 48-Megapixel Camera, 8K Video, and 6.1 and 6.7" Sizes With No 5.4" Mini Option

Tuesday April 13, 2021 10:45 pm PDT by
The upcoming 2022 iPhone lineup will feature two 6.1-inch devices and two 6.7-inch devices, with no mini-sized 5.4-inch iPhone, well-respected Apple analyst Ming-Chi Kuo said in a note to investors that was seen by MacRumors. Two of the iPhones will be high-end models and two of the iPhones will be lower-end models, similar to the current iPhone 12 lineup. Apple introduced the 5.4-inch...
macos catalina serial number

Apple Preparing Rollout of New Randomized Product Serial Numbers Ahead of 'Spring Loaded' Event

Wednesday April 14, 2021 2:08 am PDT by
Apple is advising its authorized premium resellers and dealers to prepare for new products with 10 and 12 digital serial numbers, days ahead of when it's expected to reveal a slew of new products. MacRumors previously reported that Apple plans to switch to randomized serial numbers for future products starting in early 2021. The company now seems to be preparing for that roll-out, telling...
apple event particularly innovative article

Gurman: Apple's 'Spring Loaded' Event Won't Feature Anything 'Particularly Innovative'

Thursday April 15, 2021 1:30 am PDT by
Bloomberg's highly-respected Mark Gurman says that he expects nothing "particularly innovative" or "extraordinary" to launch at Apple's "Spring Loaded" event next week, Tuesday, April 20. Gurman made the remarks during an interview for Bloomberg Technology, in which he reaffirmed that Apple will launch a new 11-inch and 12.9-inch iPad Pro, with the higher-end model featuring a brand new...
duanrui iphone13 notch samples

More Leaked iPhone 13 Samples Show Smaller Notch, Repositioned Earpiece and Front Camera

Wednesday April 14, 2021 1:06 am PDT by
Leaker known as "DuanRui" has today shared an image of two iPhone 13 "film samples," which show the same rumored smaller notch design coming to the iPhone 13 series that we've seen from other sources. In past tweets, DuanRui has accurately leaked the correct names of the iPhone 12 models and an iPad Air 4 manual revealing its new design, so there's good reason to think this leak is credible, ...
siir apple event april 20

Siri Reveals Apple Event Planned for Tuesday, April 20

Tuesday April 13, 2021 12:04 am PDT by
Siri has apparently prematurely revealed that Apple plans to hold an event on Tuesday, April 20, where the company is expected to reveal brand new iPad Pro models and possibly its long-awaited AirTags trackers. Subscribe to the MacRumors YouTube channel for more videos. Upon being asked "When is the next Apple Event," Siri is currently responding with, "The special event is on Tuesday, April...
apple event hashflag

Twitter Hashflag for April 20 Apple Event Goes Live

Tuesday April 13, 2021 2:21 pm PDT by
Following the overnight Siri leak and subsequent announcement that Apple will hold a media event on Tuesday, April 20, a new Twitter hashflag has appeared to help provide visibility for the event on the platform. For the last several recent events, Apple has utilized hashflags, which are little icons next to hashtags on Twitter, as a way to market its events. The company first started the...
parallels windows 10 arm mac

Parallels 16.5 Can Virtualize ARM Windows Natively on M1 Macs With Up to 30% Faster Performance

Wednesday April 14, 2021 7:00 am PDT by
Parallels today announced the release of Parallels Desktop 16.5 for Mac with full support for M1 Macs, allowing for the Windows 10 ARM Insider Preview and ARM-based Linux distributions to be run in a virtual machine at native speeds on M1 Macs. Parallels says running a Windows 10 ARM Insider Preview virtual machine natively on an M1 Mac results in up to 30 percent better performance compared ...
iphone 13 pro render rear

iPhone 13 Pro Rumored to Be Thicker and Feature Larger Rear Camera System

Wednesday April 14, 2021 7:07 am PDT by
Tech blog 91Mobiles has obtained 3D renders of what it claims will be the iPhone 13 Pro, revealing a largely familiar design with a few notable changes, including a smaller notch and a significantly larger rear camera system. Following renders of the standard iPhone 13 model from MySmartPrice yesterday, which showed a new diagonal rear camera layout, these renders of the 6.1-inch iPhone 13...
third gen Apple pencil leaked video

Video of Alleged Third-Generation Apple Pencil Leaks Ahead of Apple Event

Friday April 16, 2021 6:13 am PDT by
A video purporting to be of the third-generation Apple Pencil has today been shared online, showing a glossy finish that mirrors previous leaks. New ✏️ ready to 🚢 #AppleEvent @TommyBo50387266 pic.twitter.com/s4RCDwDi5M— 漢尼斯·拉斯納 🇨🇳 (@ileakeer) April 16, 2021 The brief video from Twitter account @ileakeer, spotted by 9to5Mac, shows an Apple Pencil with a glossy finish much like the...