Cybersecurity researcher, Volodymyr “Bob” Diachenko discovered a non-password-protected database belonging to Razer that was accessible via the Internet. The exposed database contained information of approximately 100,000 individuals, which included the customer’s full name, email address, contact number, customer internal ID, order numbers, order details, billing, and shipping address. According to Diachenko, the data was part of a large log chunk stored on a company’s Elasticsearch cluster that had been misconfigured for public access since August 18th, 2020, and indexed by public search engines. It is unclear how many customers had been affected by the issue. “The exact number of affected customers is yet to be assessed,” said Diachenko, “Based on the number of the emails exposed, I would estimate the total number of affected customers to be around 100K.” Following the discovery of the exposed database, Diachenko immediately notified the company through their support channel. But in his report, he wrote: “My message never reached the right people inside the company and was processed by non-technical support managers for more than three weeks until the instance was secured from public access.”
— Bob Diachenko (@MayhemDayOne) September 1, 2020 In a statement sent to Diachenko, Razer said: “We were made aware by Mr. Volodymyr of a server misconfiguration that potentially exposed order details, customer and shipping information. No other sensitive data such as credit card numbers or passwords was exposed.” Razer fixed the server misconfiguration on September 9th, prior to the lapse being made public. “We would like to thank you, sincerely apologize for the lapse and have taken all necessary steps to fix the issue as well as to conduct a thorough review of our IT security and systems. We remain committed to ensuring the digital safety and security of all our customers,” the statement continued. Diachenko warned customers who have purchased products from Razer’s online store that their records could be used to launch targeted phishing attacks wherein the scammer poses as Razer or a related company. The customers should be on the lookout for phishing attempts sent to their phone or email address. Malicious emails or messages could tempt victims to click on links to fake login pages or download malware to their devices. In the event you receive any email claiming to be from Razer, ensure that you log in only at razer.com and not at other sites.