[BreachExchange] 1.1 million SCUF Gaming customer records exposed online due to faulty sever security

Tue Apr 14 10:12:50 EDT 2020

https://securityboulevard.com/2020/04/1-1-million-scuf-gaming-customer-records-exposed-online-due-to-faulty-sever-security/

Earlier this month, SCUF Gaming, a manufacturer of high-end gaming
controllers for PC, Xbox and PS4 announced a security incident that
left the personal information more than 1 million customers exposed
online.

The discovery

On April 1, security researcher Bob Diachenko discovered that a
database on one of SCUF Gaming’s servers was freely accessible online
without authentication or password. On April 2, the company was
notified and immediately began to investigate and seal off further
unauthorized access.

During the investigation, the company stumbled upon a note left by
cybercriminals who had allegedly exfiltrated the data.

“Your Database is downloaded and backed up on our secured servers. To
recover your lost data, Send 0.3 BTC to our BitCoin Address and
Contact us by eMail.”

The data breach notification posted on SCUF Gaming’s official website
states that “This issue was specific to one system, being operated
off-site due to work-from-home precautions resulting from the current
COVID-19 pandemic. It contained a database used for customer orders,
returns and repairs, along with other non-sensitive customer
information. We immediately took action to close off this access.”

It appears that the database contained both employee and customer
information spanning 3 years, including:

• Full names, email addresses, billing addresses, shipping addresses,
phone numbers, and order histories for 1,128,649 customers • Payment
details, including order numbers, partial credit card numbers, credit
card expiration dates, order amounts, and transaction IDs for 991,478
customers • Usernames, full names, encrypted passwords, email
addresses, user roles and session IDs for 754 SCUF Gaming employees •
Repair order details for 144,479 customers • Undisclosed number of API
Keys

The company is now informing all affected parties and has started a
security audit to make sure its systems and databases remain secure.

What is the risk?

Although the company reassures customers that “there is no risk of
exposed customers’ full credit card numbers, credit card CVV numbers,
scufgaming.com user names, encrypted customer passwords, or any card
information for orders processed via PayPal or other payment methods,”
bad actors can still use the stolen information in many ways. Personal
identifiable information is enough for fraudsters and scammers to
deploy sophisticated phishing attacks or impersonate you, ultimately
leading to fraud. If you find yourself among the victims, remain calm
and anticipate your risks.

Be aware that scammers can contact you using your email address and
phone number. They can send you a phishing email appearing to be from
the company and ask you for additional financial or personal
information. Keep an eye out for unsolicited emails in your Inbox, and
do not provide additional data that could help criminals paint the
full picture. It’s also a good idea to monitor your bank account for
suspicious activity.

Data breaches happen daily, and most Internet users have been or will
become a victim in the near future. The aftermath is what matters and
that’s where we really need to focus our energy – stopping cyber
thieves from capitalizing on our data.