Razer has confirmed that customer data was left accessible to the public for weeks, exposing this personal information to malicious parties.
Data that was exposed includes customers’ full names, email addresses, phone numbers, and shipping addresses. Razer claimed that passwords and credit card information were not exposed.
Security researcher Volodymyr ‘Bob’ Diachenko discovered the leak, which he estimates to have exposed about 100,000 Razer customers’ details.
“It was part of a large log chunk stored on a company’s Elasticsearch cluster misconfigured for public access since August 18th, 2020 and indexed by public search engines,” explained Diachenko.
“Customers should be on the lookout for phishing attempts sent to their phone or email address. Malicious emails or messages might encourage victims to click on links to fake login pages or download malware onto their device.”
Diachenko said that he immediately notified Razer of the exposed data through its support channel, but his message did not reach the right people for weeks.
He added that it took over three weeks from when he reported the exposed data for these records to be secured from public access.
Razer acknowledged that Diachenko had alerted it to this security issue.
“We were made aware by Mr Volodymyr of a server misconfiguration that potentially exposed order details, customer and shipping information. No other sensitive data such as credit card numbers or passwords was exposed,” said Volodymyr.
“The server misconfiguration has been fixed on 9 Sept, prior to the lapse being made public.”
Razer thanked Diachenko for notifying it of the issue, and said it has taken “all necessary steps to fix the issue as well as conduct a thorough review of our IT security and systems”.
“We remain committed to ensure the digital safety and security of all our customers,” Razer added.