[German]There has been a data leak at gaming provider Razer Inc. The data of thousands of Razer customers with orders and shipping details were reachable via Internet on an open and not password protected database.
Advertising
Razer is the world's leading lifestyle brand for gamers. Razer, Inc. is a global company that manufactures gaming hardware and provides esports and financial services. The provider of high-end gaming hardware also sells these via an online store (RazerStore). According to the following tweet, security researcher Bob Diachenko came across an open database with customer data of this provider, which was accessible via the Internet.
Gaming hardware giant Razer Inc. recently experienced a privacy incident where customer emails, phone numbers, shipping and billing addresses and more were published online. The security researcher has published a brief summary on LinkedIn.
(Razer customer data, Click to zoom)
Unprotected Elasticsearch cluster on the Internet
Diachenko came across a non-password-protected database that was accessible via the Internet. The information disclosed (see image above) includes full name, e-mail, phone number, internal customer ID, order number, order details, billing and shipping address. The exact number of affected customers has yet to be determined, as the database was originally part of a large log block stored on a company's Elasticsearch cluster. The Elasticsearch cluster was incorrectly configured and publicly accessible via the Internet since August 18, 2020. The database was indexed by public search engines.
Advertising
Based on the number of exposed emails, Diachenko estimates the total number of affected customers to be around 100,000. Although the security researcher immediately notified the company of this data breach through appropriate channels, the company was unable to respond. Apparently, the notification never reached the right people within the company. As Diachenko writes, the information was processed by non-technical support managers for more than 3 weeks until the Elasticsearch cluster instance was protected from public access via the Internet.
The risk of such data leaks
The customer data could be used by criminals who may have accessed the data to launch targeted phishing attacks on Razer customers. In such phishing attacks, the cyber criminals impersonate Razer or an affiliate because the customer data is known. Razer customers should be on the lookout for phishing attempts sent to their phone or email address. Malicious emails or messages could entice victims to click on links to fake login pages or download malware to their device.
