The data of around 100,000 Razer customers has been exposed online following a misconfiguration faux pas.
The lapse by the global hardware manufacturing company and eSports and financial services provider was discovered by cybersecurity expert Volodymyr “Bob” Diachenko.
Customer data impacted by the cyber-slipup included full name, email, phone number, customer internal ID, order number, order details, and billing and shipping address.
According to Diachenko, the data was part of a sizable log chunk stored on Razer’s Elasticsearch cluster that had been “misconfigured for public access since August 18, 2020, and indeed by public search engines.”
The independent cybersecurity consultant and owner of SecurityDiscovery.com said it was unclear precisely how many customers had been affected by the issue.
“The exact number of affected customers is yet to be assessed,” said Diachenko, “Based on the number of the emails exposed, I would estimate the total number of affected customers to be around 100K.”
Reporting the misconfiguration mistake to Razer was a frustrating process for Diachenko.
He said: “I have immediately notified the company via their support channel on the exposure, however my message never reached right people inside the company and was processed by non-technical support managers for more than 3 weeks until the instance was secured from public access.”
In a statement sent to Diachenko, Razer said: “We were made aware by Mr. Volodymyr of a server misconfiguration that potentially exposed order details, customer and shipping information. No other sensitive data such as credit card numbers or passwords was exposed.”
Razer said it fixed the server misconfiguration on September 9. The company thanked Diachenko for reporting their error and said it would “conduct a thorough review of our IT security and systems.”
Diachenko warned Razer customers that they could be at risk of fraud and targeted phishing attacks perpetrated by criminals who might have accessed the data.
“Leaving a database publicly accessible, unprotected without even a password, is a preventable yet common cause behind massive data leaks,” commented Chris DeRamus, vice president of technology, cloud security practice, at Rapid7.
“In fact, breaches caused by cloud misconfigurations in 2018 and 2019 exposed nearly 33.4 billion records in total.”