Slickwraps says customer trust was ‘violated’ in data breach caused by glaring security holes

Note that this was a preventable breach. The company ignored responsible disclosure…:

[…] Slickwraps was made aware of the breach via a post on Twitter. Troy Hunt, cybersecurity expert and the owner of Have I Been Pwned, was contacted to verify the user’s claims and the FBI was alerted. The vulnerable servers were then closed down and the exploits patched over.

However, an individual who notified Slickwraps of its cybersecurity issues is also of interest. As noted by Slashgear, the person went under the name of Lynx0x00.

A Medium blog post, now deleted but available in Internet archives, documents how Slickwraps’ “abysmal cybersecurity” permitted anyone to upload a file to root, leading to remote code execution (RCE) attacks and the ability to execute shell commands. A single upload.php file was at fault, according to Lynx0x00’s penetration testing report.

Alongside customer information, Lynx0x00 said that API credentials were also made available and they were able to make themselves the owner of the Slickwraps ZenDesk platform and backend CMS.

Lynx0x00 claims that multiple attempts were made to open a line of communication with Slickwraps, of which warnings were ignored and the individual was blocked on social media, leading to the research becoming public. It is not known why the blog post was later deleted.

The exposed data has been added to Have I Been Pwned, a search engine that can be used to see if your information has been involved in a data breach. In total, 857,611 customer accounts were compromised.

[…]

Original Article