Gaming hardware vendor Razer has accidentally exposed personal information of over one lakh gamers that was available for nearly a month for hackers to exploit.
Security researcher Volodymyr Diachenko first discovered that customer data on Razer’s website was made publicly available on August 18 because of a server misconfiguration.
Leaked data included full name, email, phone number, customer internal ID, order number, order details, billing and shipping address.
After discovering the misconfiguration online, Diachenko reached out to Razer several times over the span of three weeks before receiving a reply.
“My message never reached the right people inside the company and was processed by non-technical support managers for more than three weeks until the instance was secured from public access,” Diachenko said in a post on LinkedIn.
Razer is a global gaming hardware manufacturing company, esports and financial services provider.
In a statement, the company acknowledged the server misconfiguration.
“We were made aware by Volodymyr of a server misconfiguration that potentially exposed order details, customer and shipping information. No other sensitive data such as credit card numbers or passwords was exposed,” the company said.
“The server misconfiguration has been fixed on September 9, prior to the lapse being made public,” the company added.
However, according to Diachenko, the customer records could be used by criminals to launch targeted phishing attacks wherein the scammer poses as Razer or a related company.
“Customers should be on the lookout for phishing attempts sent to their phone or email address. Malicious emails or messages might encourage victims to click on links to fake login pages or download malware onto their device”.
Razer customers could be at risk of fraud and targeted phishing attacks perpetrated by criminals who might have accessed the data, the security researcher warned.