Hacked websites, databases, and companies are nothing new these days but some make headlines either because of their massive reach, egregious negligence, or publicized drama. The incident surrounding almost all of skin-maker Slickwraps’s customer data has all those elements, at least depending on which side you give credence to. The company has owned up to being hacked but only for a relatively low number of customer details and only in the past three days while the security researcher who disclosed the matter claims otherwise. Unfortunately, both sides may be a bit to blame for exacerbating the already unfortunate incident.
A person by the name of Lynx0x00 positioning himself as a cybersecurity analyst posted a blog last Friday detailing his unfavorable experience “reporting” a rather severe and easy to exploit vulnerability on Slickwraps’ servers. Lynx0x00’s Medium and Twitter accounts have mysteriously vanished but, fortunately, the Internet never truly forgets. That and enough eyes have seen and screen-capped the posts for posterity.
The security researcher detailed how he was able to access Slickwraps servers, gain admin access to various services, and pilfer customer data including email and shipping addresses and customer billing information. He also goes on to recount how he was practically ignored or even blocked by the company since he first tried to get their attention on February 16, forcing him to simply publish his findings. Unsurprisingly, other hacker groups jumped on the information to test it out with much success.
It wasn’t until Saturday that Slickwraps would make a public statement and email its customers about the incident. It claims that it only discovered the incident on February 21 and immediately restricted access to the exposes non-production server. It also claimed that the breach exposed only customer names, usernames, and email addresses but the emails customers received from the aforementioned hacking groups seemed to prove otherwise.
Given the lack of timely and honest disclosure, it’s difficult to determine which version of the events is to be believed. It’s not uncommon for companies to downplay such incidents or even lie about facts to save face or evade lawsuits. On the other hand, Lynx0x00’s disclosure methods and his accounts’ sudden disappearance doesn’t exactly speak well of the security researcher either.