Back in August, a certain security researcher known as Volodymyr Diachenko first discovered a certain misconfigured Elasticsearch cluster that was owned by a popular gaming hardware vendor known as Razer. The leak apparently showed the customers' PII or Personal Identifiable Information.
The compromised information
The cluster actually contained different records of other customer orders and also included some information just like the item that was purchased, the customers' email as well as physical address, their phone number, and others.
Basically, the information that was leaked was pretty much the information you would expect to see from someone's own credit card transaction, although not giving away the exact credit card number themselves. The whole Elasticsearch cluster was not just being exposed to the general public, it was also being indexed by certain public search engines!
The report was bounced around
Diachenko has previously reported the whole misconfigured cluster, which surprisingly contained about 100,000+ users' data, immediately to Razer! Despite the intent to inform, the report was then bounced from one support rep to another support rep for about three weeks before it was actually fixed!
Razer has issued a public statement with regards to the leak saying that they were made aware by a certain Mr. Volodymyr with regards to a server misconfiguration that could actually expose different order details, customers, and also shipping information.
I must say I really enjoyed my conversations with different reps of @Razer support team via email for the last couple of week, but it did not bring us closer to securing the data breach in their systems. pic.twitter.com/Z6YZ5wvejl — Bob Diachenko (@MayhemDayOne) September 1, 2020
They assured the public that there was no sensitive data just like credit card numbers or even passwords that were being exposed. This particular server misconfiguration has also been previously fixed sometimes on September 9, prior to the whole lapse being made available to the public.
It was also stated that Razer would like to both thank the customers and apologize for the recent lapses and that they have taken all of the necessary steps in order to fix this issue as well as actually conduct a whole thorough review of their very own IT systems and security.
It was also stated that they are still very committed to ensuring the solid digital security and safety of all of their own customers.
Razer's known requirement
One of the many things that Razer is actually well-known for aside from the typical hardware itself, is for requiring a certain cloud login in order to get just about anything that relates to the hardware. The company also offers a certain unified configuration program known as Synapse, which makes use of a single interface to control every single one of a user's Razer gear.
Just until some time last year, Synapse would not actually function, and users were not able to configure their own Razer gear that included changing mouse resolution or even keyboard backlighting, without actually logging into a particular cloud account.
The current versions of the whole Synapse allow the different locally stored profiles for certain off-internet use and also what the company refers to as a particular "Guest Mode" in order to bypass the whole cloud login.
This article is owned by Tech Times
Written by Urian Buenconsejo