Private data gone public: Razer leaks 100,000+ players’ personal info

This redacted sample record from the leaked Elasticsearch data shows someone's June 24 purchase of a $2,600 gaming laptop.
Enlarge / This redacted pattern document from the leaked Elasticsearch data reveals somebody’s June 24 buy of a $2,600 gaming laptop computer.

In August, safety researcher Volodymyr Diachenko found a misconfigured Elasticsearch cluster, owned by gaming {hardware} vendor Razer, exposing clients’ PII (Personal Identifiable Information).

The cluster contained information of buyer orders and included data akin to merchandise bought, buyer e mail, buyer (bodily) handle, cellphone quantity, and so forth—principally, all the things you’d anticipate to see from a bank card transaction, though not the bank card numbers themselves. The Elasticseach cluster was not solely uncovered to the general public, it was listed by public engines like google.

Diachenko reported the misconfigured cluster—which contained roughly 100,000 customers’ data—to Razer instantly, however the report bounced from help rep to help rep for over three weeks earlier than being mounted.

Razer provided the next public assertion in regards to the leak:

We had been made conscious by Mr. Volodymyr of a server misconfiguration that probably uncovered order particulars, buyer and delivery data. No different delicate data akin to bank card numbers or passwords was uncovered.

The server misconfiguration has been mounted on 9 Sept, previous to the lapse being made public.

We wish to thanks, sincerely apologize for the lapse and have taken all needed steps to repair the difficulty in addition to conduct a radical assessment of our IT safety and methods. We stay dedicated to make sure the digital security and safety of all our clients.

Razer and the cloud

This screenshot of Synapse 3's interface shows a user configuring the RGB backlighting on all of their Razer gear.
Enlarge / This screenshot of Synapse 3’s interface reveals a person configuring the RGB backlighting on all of their Razer gear.

One of the issues Razer is well-known for—other than their {hardware} itself—is requiring a cloud login for absolutely anything associated to that {hardware}. The firm affords a unified configuration program, Synapse, which makes use of one interface to manage all of a person’s Razer gear.

Until final 12 months, Synapse wouldn’t perform—and customers couldn’t configure their Razer gear, for instance change mouse decision or keyboard backlighting—with out logging in to a cloud account. Current variations of Synapse permit regionally saved profiles for off-Internet use and what the corporate refers to as “Guest mode” to bypass the cloud login.

Many players are irritated by the insistence on a cloud account for {hardware} configuration that does not appear to actually be enhanced by its presence. Their pique is comprehensible, as a result of the pervasive cloud performance comes with cloud vulnerabilities. Over the final 12 months, Razer awarded a single HackerOne person, s3cr3tsdn, 28 separate bounties.

We applaud Razer for providing and paying bug bounties, in fact, but it surely’s tough to neglect that these vulnerabilities would not have been there (and globally exploitable), if Razer hadn’t tied their gadget performance so totally to the cloud within the first place.

Why leaks like this matter

It’s straightforward to reply dismissively to data leaks like this. The data uncovered by Razer’s misconfigured Elastisearch cluster is personal—however in contrast to related data uncovered within the Ashley Madison breach 5 years in the past, the purchases concerned are most likely not going to finish anybody’s marriage. There aren’t any passwords within the transaction data leaked, both.

But leaks like this do matter. Attackers can and do use data like that leaked right here to intensify the effectiveness of phishing scams. Armed with correct particulars of consumers’ latest orders and bodily and e mail addresses, attackers have shot at impersonating Razer workers and social engineering these clients into giving up passwords and/or bank card particulars.

In addition to the same old e mail phishing situation—a message that appears like official communication from Razer, together with a hyperlink to a pretend login web page—attackers may cherry-pick the leaked database for high-value transactions and name these clients by cellphone. “Hello, $your_name, I’m calling from Razer. You ordered a Razer Blade 15 Base Edition at $2,599.99 on $order_date…” is an efficient lead-in to fraudulently getting the shopper’s precise bank card quantity on the identical name.

Leaks and breaches aren’t going away

We do not advise betting that an entire day will go by without public report of a data breach.
Enlarge / We don’t advise betting that a complete day will go by with out public report of a data breach.

According to the Identity Theft Resource Center, publicly reported data breaches and leaks are down thirty-three p.c to date, 12 months over 12 months. (IDTRC considerably misleadingly classifies leaks like Razer’s as breaches “caused by human or system error.”) This seems like excellent news—till you notice that also means a number of breaches per day, each day.

While the variety of breaches is down this 12 months—most probably, in response to IDTRC, attributable to safety hyper-vigilance by firms instantly confronted with distant work wants at unprecedented scale—the variety of scams are usually not. Attackers reuse breached or leaked data for semi-targeted phishing and credential stuffing assaults for years after the precise compromise.

Minimizing your menace profile

As a client, there may be sadly little you are able to do about firms dropping management of your data as soon as they’ve it. Instead, it is best to give attention to minimizing how a lot of your data firms have within the first place— for instance, nobody firm ought to have a password that can be utilized along with your title or e mail handle to log in to an account at one other firm. You may also strongly contemplate whether or not you actually want to create new, cloud-based accounts containing personally identifiable data within the first place.

Finally, pay attention to how phishing and social engineering assaults work and the best way to guard towards them. Avoid clicking hyperlinks in e mail, notably hyperlinks that demand that you just log in. Be conscious of the place these hyperlinks go—most e mail shoppers, whether or not packages or Web-based, will assist you to see the place a URL goes by hovering over it with out clicking. Similarly, control the handle bar in your browser—a login web page to MyFictitiousBank, nonetheless legitimate-seeming, is unhealthy information if the URL within the handle bar is

We will be happy to hear your thoughts

Leave a Reply

Reset Password