Being as popular as they are, peripheral specialists Razer have a lot of people’s personal details! And for a few weeks, thanks to a “misconfigured Elasticsearch cluster”, those details—including home addresses—were kinda sitting around in the open, not even protected by a password.
As Ars Technica report, the cluster was found last month by security researcher Volodymyr Diachenko, and meant that not only were details like emails, home addresses and phone numbers publicly available, but they were even being indexed by search engines.
Diachenko reported the cluster to Razer, but his emails were “processed by non-technical support managers for more than 3 weeks until the instance was secured from public access.”
Having discovered the details on August 18, Razer fixed it on September 9, and sent Diachenko—who wrote about the cluster on his…Linkedin page—a statement:
We were made aware by Mr. Volodymyr of a server misconfiguration that potentially exposed order details, customer and shipping information. No other sensitive data such as credit card numbers or passwords was exposed. The server misconfiguration has been fixed on 9 Sept, prior to the lapse being made public. We would like to thank you, sincerely apologize for the lapse and have taken all necessary steps to fix the issue as well as conduct a thorough review of our IT security and systems. We remain committed to ensure the digital safety and security of all our customers.
While the nature of the cluster meant it was difficult to get an exact number of affected accounts, Diachenko estimated it would be “around 100K” based on the email addresses.