A popular producer of smartphone skins has suffered a major data breach, compromising the personal details of over 857,000 customers.
Slickwraps issued a breach notification to customers last Friday, claiming that data in “some of our non-production databases was mistakenly made public via an exploit,” and then accessed by an unauthorized third party.
In fact, what appears to have happened is that a security researcher going by the moniker “Lynx” on Twitter discovered a vulnerability in the Slickwraps website and then publicly disclosed it to the firm via the social media site, before writing up the findings in a Medium post. Both have since been deleted.
Before the firm had time to respond, it seems that hackers stepped in to exploit the bug and access the customer data, according to Android Police. They subsequently emailed users to inform them their data was now compromised.
Stay up-to-date with the latest information security trends and topics by registering for Infosecurity Magazine’s next Online Summit. Find out more here.
According to notification site HaveIBeenPwned?, 857,611 unique email addresses were compromised in the breach, belonging to customers and newsletter subscribers. Also included were names, physical addresses, phone numbers and purchase histories.
Slickwraps assured users that if they checked out as “guest” their details are safe. It added that no passwords or financial data were stolen, but recommended customers change their passwords anyway out of precaution.
Jake Moore, cybersecurity specialist at ESET, warned that hackers can still do a lot of damage, even with a list of emails and names.
“The biggest risk is via brute force attacking the accounts, where criminals use leaked common password combinations against the emails to try and break into other personal accounts. A large number of people still use predictable or simple passwords,” he explained.
“Together with recent high-profile breaches, many people's passwords are also readily available on the dark web, so it quickly becomes just a simple exercise for cyber-criminals to join the dots. The threat this poses is then increased, as many people use the same passwords across multiple accounts.”