Slickwraps Hacked - Failed to notify Customers for 6 months+

[MrRockliffe]

An interesting read if you have the time:

http://archive.li/yEIJT

Even more strangely, they sent an email to customers yesterday saying the following:

https://twitter.com/slickwraps/status/1230929725192839170?s=21

 

[The IPB]

They are getting slaughtered on twitter lol.

I bought from them before and got the email.

 

[Deleted member 77746]

I just read all of it. Not sure in this case what would the law say or do in regards to the person who hacked into the database though.

Would they actually get jail time for saying that they would leak personal details or even worse actually leaking the details of all users that has used the site?

I’m not sure if I like the idea of sticker wraps been on my phone lol

 

[Minusorange]

wow that's pretty impressive incompetence

 

[Deleted member 77746]

wow that's pretty impressive incompetence

They obviously didn’t care about security.

 

[rxodium]

Would they actually get jail time for saying that they would leak personal details or even worse actually leaking the details of all users that has used the site?

They convicted weev of accessing a publicly accessible AT&T server that contained peoples details. But a lot of that had to do with how they disclosed the flaw and what they did with the information before disclosure. And of course it was weev, so they were looking for any chance to put him in jail.

This individual has a lengthy paper / digital trail showing the effort they put in to contact Slickwraps and the time they were willing to give Slickwraps before going public. They have done everything they could considering the responsible disclosure guidelines. Slickwraps were either too incompetent to fix the flaw, or too self important they didn't think someone would actually disclose in the public interest a glaring security hole with their systems and either their inability or reluctance to fix it. Six months makes me think they were both incompetent and arrogant.

 

[Minusorange]

They obviously didn’t care about security.

Or their customers, or trying to fix their mistake

 

[Deleted member 77746]

They have done everything they could considering the responsible disclosure guidelines. Slickwraps

I never realised there was a responsible disclosure guideline. I’ll give that a read over.

 

[rxodium]

I never realised there was a responsible disclosure guideline. I’ll give that a read over.

There's nothing set in stone. It's just considered "good form" if you're a white hat hacker and security researcher. It gives the hardware manufacturers or software developers time to implement fixes.

A lot of hackers and security researchers will discover zero day exploits and sit on them until some competition comes around like Pwn2Own, where they can win money and prizes by successfully exploiting manufacturer and developer systems. Tesla gave away a model 3 and 375k dollars to a couple of researches who exploited their system. Pwn2Own is getting close to handing out 1 million dollars in prizes for exploits. Of course, when contestants succeed in exploiting something, part of the deal is they hand over the details of the exploit to the manufacturer or developer so it can be patched and fixed.

Most organisations have some form of bug bounty program. Slickwraps should have probably had 50k sitting around in a bug bounty fund to dish out to people who were good enough to find flaws. Hell, they could have contracted him to fix the bloody flaw.

 

[Deleted member 77746]

^^ Something I never knew thanks for the info.

 

[Rroff]

I don't get why he tried to approach them in the manner he did - first nudging them on Twitter with a relatively cryptic message and later dropping a fairly easy to miss text file (sure their system admin/IT sec should have picked up on it) rather than just doing a full disclosure in a formal manner to the owner of the company via a legal representative such as a solicitor, etc.

Almost like he is trying to generate drama and be a bit fractious.

EDIT: Infact the whole thing is ****** childish in manner - complaining about them not notifying customers while being obtuse about the security issues because they didn't jump through his hoops - why not just do a proper full disclosure via one of the many formal ways of doing it these days?

EDIT2: 90% through the chain of events and:

I looked to my admin panel records, found “User ID 1” (Jonathan Endicott, CEO of SlickWraps) and sent a very concise email.

Given the seriousness of it... why not do that in the first place?

 

[sideways14a]

I suspect he went to the trouble of treating them the way he did because most crap admins or managers would just bin a polite email about being hacked. In fact they did further down the line, no surprise there.

 

[Deleted member 77746]

Well why didn’t they blame it on been hacked in the first place. A hacker black or white would never threaten to post users details of customers to the world.

I don’t think he was in the right what he’s done to be fair.

 

[Rroff]

I suspect he went to the trouble of treating them the way he did because most crap admins or managers would just bin a polite email about being hacked. In fact they did further down the line, no surprise there.

You can't really take a high ground over the seriousness of customer data breaches, etc. on the one hand then not follow a proper formal path on the other hand though and there are organisations out there who handle it and/or failing that going through a proper legal entity. We've just had updated data sensitivity training at work and one of the things they drum in is properly reporting it at the highest level first and foremost no matter how much trouble that might cause for the company, etc.

EDIT: I understand his frustration when dealing with companies like this but he didn't even give them a chance and rather than spell it out he was passive aggressive in approach throwing obstacles in their way because he already assumed the worst/was looking down on them.