Any time you buy something online, you take a risk on the security of the company that you are purchasing from. Even the best companies can have vulnerabilities that they aren't aware of until it's too late. Such is the case with Razer, which recently apologized for a leak that exposed the personal information of around 100,000 gamers.
The information was discovered by Volodymyr Diachenko, an independent cybersecurity consultant, who then shared the news of the discovery on LinkedIn — after the information was hidden again. Full names, telephone numbers, email addresses, internal customer IDs, order numbers, order details, billing, and shipping addresses were all available to the public for nearly a month.
Unlike other issues like this, this was not a breach of security. Instead, the company misconfigured part of its internal search engine and made customer information public when it obviously should have been private. That information was then indexed on consumer-facing search engines like Google. The LinkedIn post explains that Razer was immediately made aware of the problem, but that non-IT employees were handling the claim for three weeks before the appropriate personnel were brought in.
A statement from Razer (via PC Gamer) apologized for the leak:
We were made aware by a security researcher of a server misconfiguration that potentially exposed order details, customer, and shipping information. No sensitive data such as credit card numbers or passwords was exposed. The server misconfiguration was fixed on the 9th September, prior to the lapse being made public.
We sincerely apologize for the lapse and have taken all necessary steps to fix the issue as well as conduct a thorough review of our IT security and systems. We remain committed to ensuring the digital safety and security of all our customers.
Customers who have questions about this can reach out to DPO@razer.com.
According to Diachenko, the information could be used to conduct phishing scams on those whose information was exposed. He also stated that the information of those who ordered Razer products in California between July and August should assume that their information was publicly available. No complete list of how many people were affected is available.
If there's one thing that worries us, it's Razer's response time. Perhaps Diachenko didn't follow the correct channel to initially report the issue, but the internal communication at Razer is what seems to have failed. Perhaps Razer was being overly cautious in dealing with Diachenko, or maybe its support staff simply didn't know where to direct the report. Either way, having sensitive information publicly exposed for a month is not acceptable.
Source: LinkedIn