KEY POINTS

  • Around 100,000 Razer customers were affected after a misconfigured Elastisearch cluster 
  • The incident left a huge "log chunk" of Personal Identifiable Information out in the open
  • Bob Diachenko said the information could have been used to carry out phishing attacks

A security researcher discovered that a misconfigured Elastisearch cluster over at Razer has exposed its customers’ important data since August.

As reported by Volodymyr “Bob” Diachenko, Razer misconfigured a huge “log chunk” of its Elastisearch cluster and left a trail of valuable Personal Identifiable Information (PII) out in the open. Diachenko estimated that the incident affected around 100,000 of Razer’s customers.

Following its discovery, Diachenko said in a LinkedIn post that he immediately contacted Razer through their support channel. His efforts, however, fell on deaf ears as his message “never reached” the right people at Razer. For more than three weeks, his attempts were processed by non-technical support managers until the company was able to secure the information from public access.

Razer
Razer Phone 2 will look like the original, but it will have RGB lighting on the back. REUTERS/Bobby Yip

The misconfigured cluster Diachenko discovered contained records of customer info, including purchased items, customer email, physical address and phone numbers, among others. Ars Technica said the cluster was also indexed by public search engines.

In response, Razer issued a public statement, saying that they were made aware of the leak.

“We were made aware by Mr. Volodymyr of a server misconfiguration that potentially exposed order details, customer and shipping information. No other sensitive data such as credit card numbers or passwords were exposed,” said Razer, adding that they have fixed the problem on September 9.

Razer also apologized to its customers and said that they have taken all the necessary steps to fix the issue.

“We remain committed to ensure the digital safety and security of all our customers,” wrote Razer.

The recent security bump is unusual for Razer who, according to Ars Technica, is known for Synapse, a “unified hardware configuration” customers use to just about anything from customizing the lights on their mechanical keyboard to rebinding mouse buttons.

If Diachenko hadn’t informed Razer or the latter wasn’t able to resolve the issue, the leaked information could be used to carry out phishing attempts. Attackers can guise themselves as Razer and attempt to lure customers by sending them malicious emails to give them their passwords or credit card details. They can also do this over other forms of communication considering that they have a specific number to call or contact.