Thousands of Razer customers order and shipping details exposed on the web without password

UPDATED on Sept 11th, 2020 with a comment from the company.

Exposed information includes full name, email, phone number, customer internal ID, order number, order details, billing and shipping address.

Razer, Inc. is a global gaming hardware manufacturing company, esports and financial services provider.

The exact number of affected customers is yet to be assessed as originally it was part of a large log chunk stored on a company's Elasticsearch cluster misconfigured for public access since August 18th, 2020 and indexed by public search engines. Based on the number of the emails exposed, I would estimate the total number of affected customers to be around 100K.

I have immediately notified the company via their support channel on the exposure, however my message never reached right people inside the company and was processed by non-technical support managers for more than 3 weeks until the instance was secured from public access.

UPDATE from the company:

We were made aware by Mr. Volodymyr of a server misconfiguration that potentially exposed order details, customer and shipping information. No other sensitive data such as credit card numbers or passwords was exposed. 

The server misconfiguration has been fixed on 9 Sept, prior to the lapse being made public. 

We would like to thank you, sincerely apologize for the lapse and have taken all necessary steps to fix the issue as well as conduct a thorough review of our IT security and systems. We remain committed to ensure the digital safety and security of all our customers. 

Dangers of exposed data

The customer records could be used by criminals to launch targeted phishing attacks wherein the scammer poses as Razer or a related company. Customers should be on the lookout for phishing attempts sent to their phone or email address. Malicious emails or messages might encourage victims to click on links to fake login pages or download malware onto their device.

Razer customers could be at risk of fraud and targeted phishing attacks perpetrated by criminals who might have accessed the data.

How and why we discovered this exposure

Our goal is to help to protect data on the Internet by identifying data leaks and following responsible disclosure policies. Our mission is to make the cyber world safer by educating businesses and communities worldwide.

Our extensive cybersecurity knowledge lends itself well to searching for and analyzing data leaks. Our due diligence demands that we make every attempt to identify who is responsible and notify them as quickly as possible.

Our hope is to minimize harm to end users whose data was exposed. We take steps to find out what each database contained, for how long it was exposed, and what threats to end users might arise as a result. Our findings are compiled into reports like this one to raise awareness and curb misuse of personal data by malicious parties.

Let's educate ourselves!

As we see a never-ending loop of these incidents, I have decided to offer a live educational session (webinar or offline workshop) for raising cyber security awareness within your organization, to prevent potential issues in the future. I use real world examples and promote that data security is important to every employee and at every level inside the organization.

It can be an online webinar session (estimated 1h long), with Q&A session or an offline meeting in your offices, live interaction with your team (workshop included).

Proposed content includes:

• Description of tools and techniques we use to identify vulnerabilities, PII and sensitive data online: no hacking, just google-it.
• How to ensure your data / your company’s data is not exposed to the public internet, security tips from professionals
• Recommendations and best practice on main noSQL databases configurations and maintenance (MongoDB, CouchDB, Elasticsearch)
• Case studies: analyzing related data appearance online
• Live search for data and master class

Let’s educate your team!

Additional services include classic security audits (with OSINT monitoring), such as black/greybox penetration tests and vulnerability scans. Our team (based in Hamburg and Kyiv) will assess the overall network and cloud security including the network perimeter, devices residing on network segments and the Internet for potential vulnerabilities that could expose critical organizational systems and applications; customer information; organization information, and financial assets.

Please feel free to send your requests to bob(at)securitydiscovery.com.