Razer Leaks Personal Info of 100,000 Gamers in Data Breach
Hardware manufacturer Razer landed itself in hot water over the weekend when it became public knowledge that over 100,000 customers had their data leaked in a massive security loophole that they took weeks to fix.
We know about the vulnerability thanks to security researcher Volodymyr “Bob” Diachenko, who discovered a misconfigured Elasticsearch cluster owned by Razer. This loophole exposed customers’ personal identifiable information or PII.
The cluster includes records of customer orders, including products purchased, email, physical address, phone number, etc. The Razer data breach did not include credit card numbers, but it was indexed by search engines, meaning this was a massive invasion of privacy for Razer’s customers.
According to the researcher, this data breach was reported three weeks ago and then bounced around Razer’s notoriously bad support system before being patched up.
Razer Tries to Save Face
For their part, Razer was willing to admit their responsibility for the vulnerability and apologized publicly to their customer base regarding the data breach.
“We were made aware by Mr. Volodymyr of a server misconfiguration that potentially exposed order details, customer and shipping information. No other sensitive data such as credit card numbers or passwords was exposed,” Razer said in a statement.
“The server misconfiguration has been fixed on Sept. 9, prior to the lapse being made public. We would like to thank you, sincerely apologize for the lapse and have taken all necessary steps to fix the issue as well as conduct a thorough review of our IT security and systems. We remain committed to ensure the digital safety and security of all our customers.”
The issue here is that Razer is well-known for running customers’ data through the cloud, thanks to their Razer Synapse service, as well as their website. If there was a massive loophole that exists like this, who is to say that users’ data might not also be at risk if they are running Synapse. Up until last year, you had to have a Razer account to use the software, which controlled many vital functions of the Razer keyboards, mice, and other peripherals in their ecosystem. Now, however, users can use “guest mode” to store a profile locally on the PC they are using and don’t have to use the account, though you lose some functionality by doing so, namely cloud saves for your profiles.
Razer has had issues with their Synapse software too. According to Ars Technica, last year, they awarded a single HackerOne user 28 separate bounties to fix security issues in their software. This is fairly normal for a large tech company to do, but to have so many vulnerabilities in their software only weeks after finding out about such a massive thing they overlooked on their website isn’t a good sign.
Of course, these sorts of things matter, even if the credit card information was not stolen. All someone needs is your personal information to access your accounts. It’s one short leap from having order information about a Razer product and calling into their support line to “verify” a credit card number, after all.
Ars Technica’s reporting shows that while breaches and leaks are down overall, they still happen every single day, and the number of scams reported hasn’t dropped. This means that users on the Internet still need to be hyper-vigilant about protecting their data, and likely need to look into using things like a password protector, not using the same password on all of your accounts, and even varying answers to security questions. Of course, there’s also the question of whether a particular service you’re signing up for is useful.