An estimated 100,000 customers of Razer, a purveyor of high-end gaming gear ranging from laptops to apparel, have had their private info exposed, according to a researcher.
Security consultant Bob Diachenko ran across a misconfigured Elasticsearch cloud cluster that exposed a segment of Razer’s infrastructure to the public internet, for anyone to see. It contained a raft of information of use to cybercriminals, including full name, email, phone number, customer internal ID, order number, order details, billing and shipping address.
Diachenko said that he estimated the number of customers affected – Threatpost reached out to Razer for more details.
“The exact number of affected customers is yet to be assessed, as originally it was part of a large log chunk stored on a company’s Elasticsearch cluster misconfigured for public access since August 18th, 2020 and indexed by public search engines,” he said, in a LinkedIn posting on Thursday. “Based on the number of the emails exposed, I would estimate the total number of affected customers to be around 100K.”
He said that he discovered the exposed database on Aug. 18, and on Aug. 19 notified the company of the issue. After getting a support ticket and case number via Razer’s support channel, the remediation process was bogged down by being bounced around between non-technical support managers for more than three weeks, he said.
https://twitter.com/MayhemDayOne/status/1300811914050707456
Finally, the cloud instance was secured from public access.
There’s no way of knowing whether the database had been accessed by other, more nefarious web surfers, but Diachenko pointed out that the information could be used in social-engineering and fraud attacks.
“The customer records could be used by criminals to launch targeted phishing attacks wherein the scammer poses as Razer or a related company,” he wrote. “Customers should be on the lookout for phishing attempts sent to their phone or email address. Malicious emails or messages might encourage victims to click on links to fake login pages or download malware onto their device.”
Some Razer customers seemed jaded to the news:
If someone knows their way around the internet Im sure they can find my basic info or any other person. Hell facebook just had a data breach and stored millions of users password in plain text and that Cambridge Analytica scandal. Then there's that Google+ data breach.
— Jack (@mintyfre5hh) March 22, 2019
Cloud Misconfigs Continue Apace
Cloud misconfigurations that lead to data leaks and breaches are far from uncommon – in fact, a Palo Alto Networks Unit 42 report from earlier this year found that more than half (60 percent) of breaches occur in the public cloud due to misconfiguration.
In April for instance, Key Ring, creator of a digital wallet app used by 14 million people across North America, found that it exposed 44 million IDs, charge cards, loyalty cards, gift cards and membership cards to the open internet via an Amazon Web Services S3 server.
In June, an AWS cloud-storage bucket that was left open to the public internet has exposed thousands of Joomla users’ personal information. And in July, an exposed ElasticSearch server belonging to Software MacKiev put 60,000 users of the Family Tree Maker software at risk.
“The use of the cloud enables organizations to reach their goals and scale with ease,” Anurag Kahol, CTO at Bitglass, said via email. “As more organizations adopt cloud-based tools to obtain a competitive advantage, the rate of cloud application usage increases in tandem. However, most organizations are not equipped to handle the security demands of the cloud. In fact, 86 percent of companies deploy cloud applications, yet just 34 percent have single sign-on (SSO) solutions in place, demonstrating a massive gap in cloud adoption and necessary cloud-security solutions.”
One of the issues at play is that developers have become accustomed to deploying apps in data centers with what could be described as a “crunchy hard outer layer,” to keep their data center secure. But when it comes to the public cloud, “it just doesn’t exist that way,” said Ryan Olson, vice president of threat intelligence with the Unit 42 research team, told Threatpost, adding that the shift is leading to poor cloud configuration choices, which in turn are leaving sensitive data exposed.
“Leaving a database publicly accessible with customer information is unfortunately a common occurrence, yet it is one of the more basic security risks to prevent,” Kahol concluded. “Moving forward, organizations must take a more proactive and holistic approach to cloud security in order to identify and remediate misconfigurations and ensure sensitive data is secured. By implementing multi-faceted solutions that enforce real-time access control, detect misconfigurations through cloud security posture management, encrypt sensitive data at rest, manage the sharing of data with external parties and prevent data leakage, organizations can ensure the privacy and security of sensitive information.”
On Wed Sept. 16 @ 2 PM ET: Learn the secrets to running a successful Bug Bounty Program. Register today for this FREE Threatpost webinar “Five Essentials for Running a Successful Bug Bounty Program“. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this LIVE webinar.