Slickwraps is one of the most well-known sellers of vinyl skins for computers, phones, tablets, game consoles, and other product categories. If you've ever bought something from Slickwraps (without PayPal or another similar service), now is the time to replace your credit card, because the company has suffered multiple data breaches impacting all customer data.

The breaches started when security researcher 'Lynx' found a way to upload files to the root directory of Slickwraps' server (archived version), through the custom skin image upload form on the company's website. From there he claimed to have access to admin details, customer billing and shipping addresses, phone numbers, API credentials for customer support and social media accounts, and other data. The researcher 'disclosed' the hack to Slickwraps — and by 'disclosed,' I mean he said "Hey @SlickWraps, You failed the vibe check" in a public tweet (backup), and then posted screenshots of customer support messages (backup). I don't think that's how vulnerability disclosures work.

The public tweets led other hackers to look into the vulnerabilities (backup), which means there could be multiple copies of all breached databases. Many Slickwraps customers have received emails from at least one group, which is using Slickwraps' own contact email to inform customers they have been hacked.

There don't seem to be any reports of malicious uses of the Slickwraps database yet, but it's always incredibly difficult to tell how your payment information was hacked when random purchases show up on your bill. It's not clear if detailed payment information was accessible to hackers ⁠— the original blog post only mentioned that "API credentials for PayPal Payments Pro" was readily available — but it's plausible that someone with malicious intent could do more digging and find that data.

As of the time of publishing, the database has not been uploaded to Have I Been Pwned, a website where anyone can check if they have been affected by database breaches. Slickwraps has still not published any official response on any social media channels. We've reached out to the company for a statement, and we will update this post if we hear back.

UPDATE: 2020/02/21 11:30am PST BY CORBIN DAVENPORT

Slickwraps has sent out an email to customers explaining that the vulnerability did not leak "passwords or personal financial data," but did include names, emails, shipping addresses, and other data. Here's the full message:

Slickwraps Users,

There is nothing we value higher than trust from our users. In fact, our entire business model is dependent on building long-term trust with customers that keep coming back.

We are reaching out to you because we’ve made a mistake in violation of that trust. On February 22nd, we discovered information in some of our non-production databases was mistakenly made public via an exploit. During this time, the databases were accessed by an unauthorized party.

The information did not contain passwords or personal financial data.

The information did contain names, user emails, addresses If you ever checked out as "GUEST" none of your information was comprised.

If you were a user with us before we secured this information on February 22nd, we regretfully write this email as a notification that some of your information was included in these databases. If you are receiving this email and joined us after February 22nd, we write this email because you use our products and deserve to know how your data is being handled.

Upon finding out about the public user data, we took immediate action to secure it by closing any databases in question.

As an additional security measure, we recommend that you reset your Slickwraps account password. Again, no passwords were compromised, but we recommend this as a standard safety measure. Finally, please be watchful for any phishing attempts.

We are deeply sorry for this oversight. We promise to learn from this mistake and will make improvements going forward. This will include enhancing our security processes, improving communication of security guidelines to all Slickwraps employees, and making more of our user-requested security features our top priority in the coming months. We are also partnering with a third-party cyber security firm to audit and improve our security protocols.

More details will follow and we appreciate your patience during this process.

Sincerely,

Jonathan Endicott

CEO @ Slickwraps

The statement said Slickwraps became aware of the vulnerability on "Februrary 22nd," even though the company is based in the United States, where it is currently the 21st. It's not clear if that is a typo, or if the message was written by someone at Slickwraps working in another time zone.

Thanks: Jamie

UPDATE: 2020/02/22 12:14pm PST BY CORBIN DAVENPORT

If you're not sure if you've been affected, the databases have now been uploaded to Have I Been Pwned, so you can enter your email address on that site to check. The service says that the breach affected over 857,000 accounts.

Also, many of the disclosure messages sent out by the hacker group using hello@slickwraps.com have landed in spam boxes, so check your spam too.