SlickWrapsSlickWraps

Update, February 21, 2020 (02:55 PM ET): This whole SlickWraps thing just got more intense. First, Lynx’s Twitter account was temporarily suspended (it’s back now though). However, the Medium blog post that details all the information about the hack has been removed.

Then, the CEO of SlickWraps posted a response to the breach (via Kellen from Droid-Life). The message, which you can read here, is deeply apologetic. However, it’s strange because it not only came from one of the hacked email accounts but also is dated in the future — the date February 22 is cited numerous times in the letter. SlickWraps is a US-based company, so it is definitely not February 22 for the brand.

As of now, the company is still open for a business and its website is active. Who knows how long that will last though, as now any hacker could literally destroy the company at any moment.


Original article, February 21, 2020 (01:58 PM ET): Data breaches happen quite often nowadays. Usually, though, they involve various amounts of user data leaking to the so-called “dark web” and then people getting into an uproar. However, the SlickWraps data breach publicized today might be the most over-the-top breach ever.

A hacker going by the name Lynx not only gained access to customer information on SlickWraps but gained control over the entire business. In a very long and very thorough report on the Lynx Medium blog, the hacker proves they could have, quite literally, erased every single aspect of the company’s business.

Lynx was able to do this because of the “abysmal” security checks in place surrounding all aspects of SlickWraps. Through some simple hacking that even I fully understand, Lynx was able to gain complete control over the following:

  • All admin account details, including password hashes.
  • All current and historical customer information including addresses, emails, phone numbers, and transaction histories.
  • API credentials for PayPal Payments Pro and Braintree, which process credit card payments.
  • API credentials for ShipHero, its warehouse management system.
  • API credentials for SlickWraps social accounts, including top-level access to its Facebook, Twitter, and Instagram accounts.

In the words of Lynx: “At this point, I could have deleted their entire company.”

After gaining all this access, Lynx attempted numerous times to contact SlickWraps to let the company know it had a big problem. However, the company continually ignored Lynx, even going so far as to block them on Twitter. Lynx only decided to go public with the data breach after exhausting all other options.

If you’re interested, read Lynx’s entire report here. In the meantime, we recommend not buying anything from SlickWraps if you want to avoid your financial data getting stolen.

More posts about Cybersecurity

Comments
Read comments