If you’ve ever adorned your laptop or smartphone with a pretty, customised vinyl skin, odds are good you got it from Slickwraps—or have at least heard of the popular creator of ready-made and customised skins. Unfortunately, Slickwraps recently suffered a data breach that affected more than 857,000 accounts. If you’ve ever purchased from them in the past, or created an account on the service with the intention to do so, here’s what you need to know.
Your passwords and personal financial data should be safe
Attackers took advantage of a vulnerability in Slickwraps’ server configuration to access customer databases. Some of those doing so attempted to be helpful by then mass-emailing Slickwraps customers that their data was now out in the wild, but there’s no way to know who got their hands on these databases, nor what they’re planning to do with them.
Hey @SlickWraps, sorry to hear about your data breach. Even more sorry to see that you've kept my data for FIVE YEARS in blatant violation of GDPR. I'm reporting you now and I expect a lot of your EU customers will do the same. Info on GDPR fines: https://t.co/wb7BUMlWcp pic.twitter.com/pGVUGdi54C
— Soren Siim ???????? ???? ???????? (@SorenSiim) February 21, 2020
The slight silver lining to this breach is that your financial information is protected, if you saved it on Slickwraps’ site. And your passwords are also fine, though this shouldn’t matter as astute Lifehacker readers will have already taken our advice and set up strong, unique passwords for each site and service they use. According to an email sent from Slickwraps after the breach:
“…On February 22nd, we discovered information in some of our non-production databases was mistakenly made public via an exploit. During this time, the databases were accessed by an unauthorised party.
The information did not contain passwords or personal financial data.”
As for your address…
The data contained in the accessed databases included customer names, email addresses, and physical addresses. While that’s probably not enough for someone to cause you much grief, it does leave you more exposed for potential phishing attempts. It’s also plausible that this data, combined with data from other breaches, is all an attacker would need to set up some kind of new account or service for you—or, worse, recover your password on a separate service, or convince a customer-support agent that they are you.
Otherwise, there’s not much you can do in this case. While I don’t think you need to get wild and start setting up credit freezes, going after some free credit monitoring wouldn’t hurt as a default response to any kind of breach. This won’t help you out much if someone can associate your address with your email, but it’s a decent catch-all gesture for moments like these.
Your best response, aside from using whatever safeguards your browser has against spoofed websites, is to combine a strong adblocker with some common sense. If, or when, you receive an uninvited email or message asking you to do something, especially if it has some personal information about you that feels funny—like your address, randomly inserted in the request—get sceptical.
Think before you reply with whatever information it wants (if at all). Email or call the requestor separately to confirm that this is a legitimate solicitation. Don’t cough up your credit card information or any other critical bit of data unless you can confirm you aren’t being phished. As always, inspect the URLs when clicking on a link to a website to make sure you’re not sending your personal data to a scammer instead of, say, your bank.
And it almost goes without saying, but reset your Slickwraps password. Even though passwords weren’t purloined, it’s one of the first things you should do when any site or service you use suffers a data incident.
You might be safe depending on how you shopped at Slickwraps
Here’s one quirk to the Slickwraps database breach: If you purchased anything from the company, but checked out as a guest instead of making an account, you’re totally fine. In this case, no information about you was leaked as a result of the breach. Similarly, if you set up an account after February 22, you’re also in the clear.
How to check whether your account was affected
Slickwraps (or those accessing its database) should have sent you a message to indicate your information is affected by the breach. If you didn’t receive that email, or you just want to be double-sure, you can use Have I Been Pwned? to verify whether your credentials were in the leaked database.
I am a @slickwraps customer. I did not receive this email. I instead received an email from @Lynx0x00 informing me of the company's vulnerabilities. You were first notified on the 15th. Also "closing the databases in question" does not fix your shit security. pic.twitter.com/kJbRULxO9u
— JHuff (@jamesjr2) February 21, 2020
That all said, given that Slickwraps was allegedly informed about its security flaws well in advance of the database leak, you might want to reconsider where you shop for device skins going forward. It’s one thing to be hit with a cyberattack; it’s another to ignore those trying to help you patch up your databases before a breach hits, and then ask for forgiveness after the fact.