The gaming peripheral company Razer suffered a data leak that exposed over 100,000 customers' personal information. The leak affected customers who purchased Razer products from its website before September 9, 2020.
The information contained customers' names, phone numbers, email and shipping addresses, order and billing details. Razer is a popular Singapore-American gaming hardware company that manufactures peripherals such as mice, keyboards, gaming products and laptops.
Unprotected Server
Security researcher Volodymyr Diachenko on August 19 first noticed the issue and immediately contacted the company's support team. After a few back and forth emails, Razer fixed the issue on September 9, saying that it was a result of a misconfigured server which led to information being easily accessible. However, the customer information was exposed for nearly a month and the impacted number could be higher than 100,000.
"The exact number of affected customers is yet to be assessed as originally it was part of a large log chunk stored on a company's Elasticsearch cluster misconfigured for public access since August 18, 2020 and indexed by public search engines. Based on the number of the emails exposed, I would estimate the total number of affected customers to be around 100K," Diachenko said.
After Diachenko took it to LinkedIn, Razer responded with a statement, saying that the server misconfiguration was fixed and customers' financial details such as credit/ debit or passwords were not exposed.
"We were made aware by Mr. Volodymyr of a server misconfiguration that potentially exposed order details, customer and shipping information. No other sensitive data such as credit card numbers or passwords was exposed. The server misconfiguration has been fixed on 9 Sept, prior to the lapse being made public," said Hung Wei Goh, Razer's Global Marketing Director in a statement.
Should You Worry?
For people who purchased any product directly from the Razer website between August 18 and September 9, their data might have been exposed. Cybercriminals can use personal information to target customers through a phishing attack. Scammers can pose as Razer or someone related to the company and send malicious emails or texts to steal data that could include banking information, BleepingComputer reported.
If you have purchased Razer products from its website, be alert. If you receive mails or texts from Razer, be sure to check directly on the company website. Don't click on any link from that may be suspicious.
This is not the first time Razer has come in the news for all the wrong reasons. In 2019, a security vulnerability was found in Razer laptops. It could have allowed "attackers to safeguard rootkits with Intel Boot Guard, downgrade the BIOS to exploit older vulnerabilities such as Meltdown, and many other things." A patch was released to fix the security flaw only after two weeks and during that time, many laptops would have been exposed to cyberattacks.