At least 100,000 customers to phishing and fraud were potentially exposed to a cloud misconfiguration at the gaming-gear merchant.
As per a researcher, a roughly 100,000 Razer customers, a tattler of high-end gaming equipment ranging from laptops to clothing, have had their private information exposed.
Security advisor Bob Diachenko ran across a misconfigured Elasticsearch cloud cluster that uncovered a section of Razer’s setup to the public internet, for anyone to see. It contained a list of information of use to cybercriminals, including full name, email, phone number, customer internal ID, order number, order details, billing and shipping address.
Diachenko said that he projected the number of customers impacted – Threatpost contacted Razer for more information.
“The exact number of affected customers is yet to be assessed, as originally it was part of a large log chunk stored on a company’s Elasticsearch cluster misconfigured for public access since August 18th, 2020 and indexed by public search engines,” he said, in a LinkedIn posting on Thursday. “Based on the number of the emails exposed, I would estimate the total number of affected customers to be around 100K.”
He said that he revealed the exposed database on Aug. 18, and on Aug. 19 advised the company of the problem. After receiving a support ticket and case number through Razer’s support channel, the redress process was caught up by being recoiled around between non-technical support managers for more than three weeks, he said. Lastly, the cloud instance was protected from public access.
There’s no way of significant whether the catalogue had been retrieved by other, more wicked web surfers, but Diachenko highlighted that the information could be used in social-engineering and deception attacks.
“The customer records could be used by criminals to launch targeted phishing attacks wherein the scammer poses as Razer or a related company,” he wrote. “Customers should be on the lookout for phishing attempts sent to their phone or email address. Malicious emails or messages might encourage victims to click on links to fake login pages or download malware onto their device.”