Gaming hardware manufacturer Razer has confirmed it suffered a data leak that could have exposed information relating to circa 100,000 customers.
The incident was first discovered by security researcher Bob Diachenko, who came across an improperly configured database containing data belonging to users of Razer’s online store.
The cloud database contained personally identifiable information (PII) – such as names, email addresses, phone numbers, addresses and more – but did not expose payments data that could be used to facilitate financial fraud.
Razer data leak
According to Diachenko, the Elasticsearch cluster was publicly available from August 18 onwards, indexed by public search engines.
The researcher first alerted Razer to the configuration error in mid-August, but the issue remained unresolved for a number of weeks, despite correspondence with various members of the firm’s support team.
“The server misconfiguration has been fixed on September 9, prior to the lapse being made public,” said Razer in a statement delivered to Diachenko.
“We would like to thank you, sincerely apologize for the lapse and have taken all necessary steps to fix the issue as well as conduct a thorough review of our IT security systems. We remain committed to ensure [sic] the digital safety and security of all our customers.”
To shield against credential stuffing attacks, gamers who suspect their data may have been compromised are advised to change their Razer credentials, as well as passwords for any other online accounts that use the same combination.
The information held on the unsecured database could also be used to launch targeted spear-phishing attacks, so Razer customers should also be wary of clicking links and opening attachments held in emails relating to the firm, which could be fraudulent.