Using this access, Lynx stated that they were allegedly able to gain access to the resumes of employees, 9GB of personal customer photos, ZenDesk ticketing system, API credentials, and personal customer information such as hashed passwords, addresses, email addresses, phone numbers, and transactions.

“They had no interest in accepting security advice from me. They simply blocked and ignored me,” Lynx stated in the //medium.com/@lynx0x00/i-hacked-slickwraps-this-is-how-8b0806358fbb" target="_blank" rel="nofollow noopener noreferrer" style="box-sizing: border-box; background-color: transparent; color: rgb(66, 139, 202); text-decoration: none;">Medium post. This post has since been taken down by Medium, but is still available via //web.archive.org/web/20200221183003/medium.com/@lynx0x00/i-hacked-slickwraps-this-is-how-8b0806358fbb" target="_blank" rel="nofollow noopener noreferrer" style="box-sizing: border-box; background-color: transparent; color: rgb(66, 139, 202); text-decoration: none;">archive.org.

Since posting his Medium post, Lynx said that another unauthorized user sent an email to 377,428 customers using Slickwraps’ ZenDesk help desk system.

These emails begin with “If you’re reading this it’s too late, we have your data” and then link to the Lynx’s Medium post.

Some of these customers have posted images of the image to Twitter as seen below.

Lynx said that they had seen traces of other unauthorized users in Slickwraps’ web site as well.

“I saw some activity during my research, maybe they’re the same people who sent out the emails? No clue to be honest,” Lynx said.

When we asked why they continued to look for more vulnerabilities instead of simply contacting Slickwraps when they first gained access we were told:

“As a white hat, we want to see how far we can go so we can generate a full report. No point in doing research and reporting the first vulnerability when there’s still 10 others.”

While Lynx said that they were always concerned about legal repercussions after performing penetration testing, they felt that due to the severity of the data breach, it needed to be publicly disclosed.

“Companies know that I never intend to harm them and sometimes even offer bounties. This one was different in that sense that they blocked me and did not care about their customers at all. Since this is a major breach, and I exhausted all my other options to contact them, I felt the need to disclose this publicly, in hopes that they fix this asap.”

Even with the breach disclosed in the Medium post and technical details having been posted, Lynx told us that the vulnerabilities still exist in the web site and that they still have access.

For those who have used Slickwraps in the past, Lynx has passed along the customer info to Troy Hunt of the Have I Been Pwned data breach notification service.

It is not known if Hunt will add this database to his system, but if he does, customers will be able to check if their email addresses are included in the database provided by Lynx.

For now, it is strongly suggested that all users change their password at Slickwraps and to use a unique password at all web sites that they visit.

Slickwraps releases statement

In a statement posted to their Twitter account, Slickwraps CEO Jonathan Endicott has apologized for the data breach and promises to do better in the future.

Slickwraps Users,

There is nothing we value higher than trust from our users. In fact, our entire business model is dependent on building long-term trust with customers that keep coming back.

We are reaching out t0 you because we've made a mistake in violation of that trust. On February 21st, we discovered information in some of our production databases was mistakenly made public via an exploit. During this time, the databases were accessed by an unauthorized party.

The information did not contain passwords or personal financial data.

The information did contain names, user emails, addresses. If you ever checked out as "GUEST" none of your information was compromised.

If you were a user with us bef0re we secured this information on February 21st, we regretfully write this email as a notification that some of your information was included in these databases.

Upon finding out about the public user data, we took immediate action to secure it by closing any database in question.

As an additional security measure, we recommend that you reset your Slickwraps account password. Again, no passwords were compromised, but we recommend this as a standard safety measure. Finally, please be watchful for any phishing attempts.

We are deeply sorry this oversight. We promise to learn from this mistake and will make improvements going forward. This will include enhancing our security processes, improving communication of security guidelines to all Slickwraps employees, and making more of our user-requested security features our top priority in the coming months. We are also partnering with a third-party cyber security firm to audit and improve our security protocols.

More details will follow and we appreciate your patience during this process.

Sincerely,

Jonathan Endicott
CEO @ Slickwraps

In the statement, though, Endicott says they first learned about this today, February 21st, while Lynx stated and showed screenshots of attempts to contact both Endicott via email  and Slickwraps on Twitter prior to today

The information contained in this website is for general information purposes only. The information is gathered from BLEEPING COMPUTER, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.  Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.