Slickwraps is one of the most well-known sellers of vinyl skins for computers, phones, tablets, game consoles, and other product categories. If you’ve ever bought something from Slickwraps (without PayPal or another similar service), now is the time to replace your credit card, because the company has suffered multiple data breaches impacting all customer data.
The breaches started when security researcher ‘Lynx’ found a way to upload files to the root directory of Slickwraps’ server (archived version), through the custom skin image upload form on the company’s website. From there he claimed to have access to admin details, customer billing and shipping addresses, phone numbers, API credentials for customer support and social media accounts, and other data. The researcher ‘disclosed’ the hack to Slickwraps — and by ‘disclosed,’ I mean he said “Hey @SlickWraps, You failed the vibe check” in a public tweet (backup), and then posted screenshots of customer support messages (backup). I don’t think that’s how vulnerability disclosures work.
The public tweets led other hackers to look into the vulnerabilities (backup), which means there could be multiple copies of all breached databases. Many Slickwraps customers have received emails from at least one group, which is using Slickwraps’ own contact email to inform customers they have been hacked.
— Toneman (@Toneman) February 21, 2020
Don’t reach out. pic.twitter.com/A1udbHwwZ0
— Cesar Torres (@towerz650) February 21, 2020
— Gillerz (@mattgillerz) February 21, 2020
@SlickWraps I made an order 4 years ago and I just got an email saying that my data has been compromised, including my email address, my previous address and phone number.
— David (@dpfjobs) February 21, 2020
There don’t seem to be any reports of malicious uses of the Slickwraps database yet, but it’s always incredibly difficult to tell how your payment information was hacked when random purchases show up on your bill. It’s not clear if detailed payment information was accessible to hackers — the original blog post only mentioned that “API credentials for PayPal Payments Pro” was readily available — but it’s plausible that someone with malicious intent could do more digging and find that data.
As of the time of publishing, the database has not been uploaded to Have I Been Pwned, a website where anyone can check if they have been affected by database breaches. Slickwraps has still not published any official response on any social media channels. We’ve reached out to the company for a statement, and we will update this post if we hear back.