Gaming vendor Razer has exposed personal information of over one lakh gamers that was available for nearly a month for hackers to exploit, says security researcher Volodymyr Diachenko.
Razer, a gaming hardware manufacturing company, esports and financial services provider, has acknowledged the server misconfiguration. Razer is yet to reveal that the accidental expose of personal data will have any impact on its business.
Razer reported revenue of $447.5 million (+25.3 percent), beating expectations driven by strong growth across the entire Peripherals portfolio, during the first half of 2020. Covid-19 pandemic has contributed to the growth of the gaming hardware and software supplier.
Min-Liang Tan, co-founder and CEO of Razer, said: “The stay-at-home situation has boosted user engagement with gaming and esports to record levels.”
Volodymyr Diachenko discovered that customer data on Razer’s website was made publicly available on August 18 because of a server misconfiguration.
Leaked data included full name, email, phone number, customer internal ID, order number, order details, billing and shipping address.
After discovering the misconfiguration online, Diachenko reached out to Razer several times over the span of three weeks before receiving a reply.
“My message never reached the right people inside the company and was processed by non-technical support managers for more than three weeks until the instance was secured from public access,” Diachenko said in a post on LinkedIn.
“We were made aware by Volodymyr of a server misconfiguration that potentially exposed order details, customer and shipping information. No other sensitive data such as credit card numbers or passwords was exposed,” Razer said.
Razer said the server misconfiguration has been fixed on September 9, prior to the lapse being made public.
Diachenko said the customer records could be used by criminals to launch targeted phishing attacks wherein the scammer poses as Razer or a related company, IANS reported.
“Customers should be on the lookout for phishing attempts sent to their phone or email address. Malicious emails or messages might encourage victims to click on links to fake login pages or download malware onto their device.”