Gaming hardware firm Razer accidentally exposed over 100,000 customers' personal data for close to a month, according to a report by a cybersecurity consultant.
Cybersecurity consultant discovers data breach on Razer's online store
Volodymyr Diachenko shared his discovery in a post on LinkedIn, detailing how customer data such as addresses and emails were made publicly available due to a server misconfiguration since Aug. 18, 2020.
"Based on the number of the emails exposed, I would estimate the total number of affected customers to be around 100K," Diachenko wrote in his post.
He included an extract of the personal information exposed on the company's online store, with the customers' information redacted.
He added that he immediately reached out to the company regarding the exposure, but it took three weeks before he received a response from Razer.
Information leak acknowledged by Razer, says no payment methods were exposed
In a statement sent to Diachenko, Razer acknowledged the information breach, which "potentially exposed order details, customer and shipping information", adding that it was fixed on Sep. 9, 2020.
However, the company said that no "sensitive information" such as credit card information and other payment methods were breached in the misconfiguration.
In a statement provided by Razer to Mothership, the company said:
"We were made aware by a security researcher of a server misconfiguration that potentially exposed order details, customer and shipping information. No sensitive data such as credit card numbers or passwords was exposed. The server misconfiguration has been fixed on Sep. 9, prior to the lapse being made public.
We sincerely apologize for the lapse and have taken all necessary steps to fix the issue as well as conduct a thorough review of our IT security and systems. We remain committed to ensuring the digital safety and security of all our customers.
Customers who have questions about this can reach out to [email protected]"
Personal information could be used for phishing attacks
Diachenko added in his post that the customer records could be used by criminals to launch targeted phishing attacks wherein the scammer poses as Razer or a related company.
"Customers should be on the lookout for phishing attempts sent to their phone or email address. Malicious emails or messages might encourage victims to click on links to fake login pages or download malware onto their device," he warned.
Razer customers could be at risk of fraud and targeted phishing attacks perpetrated by criminals who might have accessed the data, Diachenko cautioned.
Top image via Razer Website