Skullcandy.in web server and database backups exposed
After nothing done for months, an email to Skullcandy CEO finally fixed the issue.
Who is Skullcandy?
“Skullcandy Inc. is an American company based in Park City, Utah, that markets technology such as headphones, earphones, Bluetooth speakers and other products.” according to their Wikipedia page.
Finding the exposed data
At the end of October 2024 while looking at exposed servers I noticed one with 2 files exposed inside, both called backup*, one .zip and one .sql file. The .sql file header showed the database was named “skullcandy” and since I’ve heard the brand name before I decided to dig further at what exactly was exposed here.
Examining the exposed data
Both files exposed were from a backup made on July 14th 2022 and the first time I have this flagged as exposed on my logs is September 2024, I have no way to confirm if this was exposed since July 2022 or it ended up exposed some time later.
The .zip file was 2.3GB(compressed) and contained a backup of Skullcandy.in web server, among other things the uploaded files included CVs of Skullcandy.in applicants. This backup also included all kinds of config files for the web server.
The .sql file was over 19GB and contained a database backup of Skullcandy.in WordPress database which included:
6.6 million lines of user metadata (browser information, billing and shipping information such as first and last name, full address, email) - 135,374 unique email addresses.
157,468 unique email addresses on the user table (around the same user count) with nickname, email and hashed passwords (Wordpress hashes).
There was payment information such as service used with IP address and user linked but I couldn’t find any card details etc with a quick look through the backup.
Product information, coupon codes and other things were also exposed on the database. I did not spend much time IDing everything exposed here.
Notifying Skullcandy
On October 28th 2024, after looking at Skullcandy website and redirecting to the .in domain, I sent a message to the email listed on the website for customer support (customercare@brandeyes.in) and CERT-IN. I got automated replies from both entities and Skullcandy customercare response mentioned all queries are addressed within 48 work hours.
On October 31st after no response and the server still being exposed I sent an email to dataprotection@skullcandy.com with the information I had.
Around a week or so later and still nothing done I decided to try Skullcandy.in live chat. After fighting with the bot who initially said there was no way to talk with a person, I was given a time where a Rep would be online, so I went back around that time and pushed the bot to get me in contact with a real person.
I explained the situation briefly and asked for a contact to send out the details and was told to use the dataprotection@ email I already used, after saying that I was told that was the correct email and to wait until they addressed it so I waited.
On January 25th 2025, almost 2 months after my initial emails, this server was still exposed and I still hadn’t gotten any response at all so I went digging for higher up contacts at Skullcandy and sent emails to 5 higher up emails I found.
On this email I explained the situation, added extra information such as screenshots of the main htacess file and samples of the database that showed the data was from Skullcandy and also mentioned I saw references to https://www.cyberworx.in on the database and wasn’t sure if they were the ones responsible for the server or not but since the data was from Skullcandy clients I was emailing them instead.
Every email bounced back, rejected by the email server besides the Skullcandy CEO email but that seemed to be enough as less than 48h later on January 27th I noticed the server and files had been secured.
I never got any kind of response so on February 7th I sent an email to the CEO directly and asked:
“Is Skullcandy disclosing this publicly and notifying their clients, or do you have logs that prove no access to the data and therefore no notification is required. If you intend to disclose but haven't done so yet I can hold off my publication for a few days until you do, but let me know if that is the case.”
Four days after my follow up email to the CEO, I got a reply. The CEO had forwarded my email to the CIO to respond.
The CIO thanked me for the information and told me, as a courtesy, they had forwarded my initial notification to the 3rd party distributor responsible, BrandyEyes, and that they were left to investigate and take any needed action and that if I had further questions I should reach out to the 3rd party directly.
My initial attempt to close this was to BrandEyes and I never got a reply even though they claim all queries are addressed within 48 working hours, so I replied thanking them for having the courtesy of doing their job and forwarding an email and asked for a BrandEyes contact since the email I used didn’t work.
I did not get any contact back to reach out or reply as of publishing this.
Final notes
I hope there is some nice company bonus for all this email forwarding. Can you imagine the work involved in forwarding an email to some 3rd party distributor that is actively harming your brand by leaking personal information of people who bought something with your brand name on it.
If you’re interested in more incidents I dealt with, you can check all my public finds indexed by country on the post below:
