[BreachExchange] Customer data from gaming hardware maker Razer found exposed online

Destry Winant destry at riskbasedsecurity.com
Mon Sep 14 10:15:51 EDT 2020 

https://siliconangle.com/2020/09/10/customer-data-gaming-hardware-maker-razer-found-exposed-online/

More than 100,000 customer records belonging to Razer Inc. have been
found exposed online in yet another case of a company failing to
secure its online storage.

Discovered and publicized today by security researcher Bob Diachenko,
the exposed data included full names, emails, phone numbers, customer
internal IDs, order numbers, order details, billing and shipping
addresses.

Razer, based in Irvine, California, and Singapore, manufactures
high-end gaming-focused hardware ranging from laptops to gaming
keyboards and mice, and it’s also being involved in esports and
financial services. It competes directly with Micro-Star International
Co. Ltd. in the gaming equipment market.

Before going public with the disclosure, Diachenko reached out to
Razer with his discovery of the exposed data, but it took three weeks
for the company to take the Amazon Web Services Inc. Elasticsearch
database down.

As with all exposed databases, the risk is that the data, presuming
that it had been accessed by bad actors, can be used for phishing
attacks and other forms of malicious activity.

Chris DeRamus, vice president of technology, cloud security practice
at security operations company Rapid7 Inc., told SiliconANGLE that
breaches caused by cloud misconfigurations in 2018 and 2019 exposed
nearly 33.4 billion records in total.

“If accessed by bad actors, the sensitive information exposed from
Razer’s Elasticsearch database is more than enough fodder to launch
targeted phishing attacks, engage in account takeover fraud or even
make a quick profit by selling the data on the dark web,” DeRamus
said.

Anurag Kahol, chief technology officer at cloud access security broker
Bitglass Inc., said organizations must take a more proactive and
holistic approach to cloud security to identify and remediate
misconfiguration. “By implementing multifaceted solutions that enforce
real-time access control, detect misconfigurations through cloud
security posture management, encrypt sensitive data at rest, manage
the sharing of data with external parties, and prevent data leakage,
organizations can ensure the privacy and security of sensitive
information,” he said.

More information about the BreachExchange mailing list