Over 100,000 users of gaming peripheral’s specialist Razer may have had their personal details leaked onto the internet.
According to a report by Ars Technica, the vulnerability was found by security researcher Volorymyr Diachenko. The latter stated that a “misconfigured Elastisearch cluster” left Razer customer’s personal details—including their home addresses—sitting around in the open for anyone to see, without any form of password protection.
With the vulnerability, not only were details such as emails, phone numbers and evenn home addresses publicly available, but they were even being indexed by search engines.
Diachenko said that he reported the misconfigured cluster, which contained the data of around 100,000 users, to Razer. His emails, however, were left with “non-technical support managers” for over three weeks before the cluster was finally secured from public access on September 9.
“We were made aware by Mr. Volodymyr of a server misconfiguration that potentially exposed order details, customer and shipping information. No other sensitive data such as credit card numbers or passwords was exposed,” said Razer in a statement to Diachenko. “The server misconfiguration has been fixed on 9 Sept, prior to the lapse being made public. We would like to thank you, sincerely apologize for the lapse and have taken all necessary steps to fix the issue as well as conduct a thorough review of our IT security and systems. We remain committed to ensure the digital safety and security of all our customers.”
The leak of the data matters a lot for Razer as the company is known for requiring cloud login for just about anything related to their hardware. The company’s cloud-based unified configuration program, Synapse, provides users with one unified interface to control all of a user’s Razer peripherals.
The always online, cloud-based nature of Synapse has rubbed some gamers the wrong way, with many questioning the need for the cloud to account for hardware configuration that doesn’t really seem to benefit from it.
The backlash against the cloud features eventually forced Razer to allow Synapse to store profiles locally for offline use, while also giving it what Razer calls a “guest mode” to bypass the cloud login.
To help build goodwill with gamers and patch holes in their security, Razer has been offering bounties for any bugs and vulnerabilities reported by users. Last year alone, a single HackerOne user going by the handle s3cr3tsdn was awarded with 28 separate bounties.
While efforts like these are commendable, it’s difficult to forget that these vulnerabilities wouldn’t be there in the first place if Razer hadn’t so thoroughly tied their device functionality to the cloud in the first place.
All incidents like this do is make gamers doubt whether or not picking a Razer peripheral is the right choice, especially if it could potentially leak their personal details to the public.