Cyber Incident Victim: Slickwraps

In January 2020, a security researcher identifying as Lynx discovered a path traversal vulnerability in an upload script used by Slickwraps, a mobile device case retailer, for custom case image submissions. This vulnerability enabled unauthorized access to the company’s internal systems. Lynx reported gaining access to 9GB of customer-uploaded personal photos, employee resumes, ZenDesk ticketing system credentials, API credentials, and customer databases containing hashed passwords, physical addresses, email addresses, phone numbers, and transaction histories. After multiple unsuccessful attempts to contact Slickwraps via email to report the breach—including explicit statements that no bounty was sought, only breach disclosure—Lynx stated the company blocked all communications. With no response from Slickwraps, Lynx publicly disclosed the vulnerability and data exposure in a Medium post in February 2020, which Medium later removed but remained accessible via archive.org.

Following the disclosure, an unidentified third party exploited Slickwraps’ compromised ZenDesk system to send emails to 377,428 customers with the subject line “If you're reading this it's too late, we have your data,” linking to Lynx’s archived Medium post. Lynx confirmed to BleepingComputer that this unauthorized email campaign was not their action but noted evidence of other unauthorized users accessing Slickwraps’ systems during the same period. Slickwraps CEO Jonathan Endicott issued a public apology via Twitter, acknowledging the breach and committing to improved security practices. Lynx provided the exposed customer data to Troy Hunt of Have I Been Pwned for potential inclusion in the breach notification service, though confirmation of its addition was not confirmed in the source material. Security analysts advised affected customers to change their Slickwraps passwords and avoid password reuse across other platforms.