In August, security researcher Volodymyr Diachenko discovered a malicious Elasticsearch cluster, owned by gaming hardware vendor Razer, exposing customers’ PII (Personally Identifiable Information).
The cluster contains records of customer orders and includes information such as what was purchased, customer email, customer (physical) address, phone number, etc. — basically, everything you’d expect to see from a credit card transaction, although not credit card numbers themselves. Elasticsearch clusters are not only visible to the public, they are indexed by public search engines.
I must say that I really enjoy my conversations with different editors @Razer support team via email for the last two weeks, but it doesn’t bring us any closer to data breach protection in their systems. pic.twitter.com/Z6YZ5wvejl
— Bob Diachenko (@MayhemDayOne) September 1, 2020
Diachenko reported the faulty cluster—which included roughly 100,000 users’ data—to Razer immediately, but the report bounced from support agent to support agent for more than three weeks before being fixed.
Razer gave the following public statement about the leak:
It was noticed by Mr. Volodymyr of configuring a server that can display order details, customer and shipping information. No other sensitive data such as credit card numbers or passwords are exposed.
The server configuration error was fixed on 9 September, before the regression became public.
We would like to thank you, sincerely apologize for the error and have taken all necessary steps to correct the issue and conduct a thorough review of our IT security and systems. We are committed to ensuring the digital safety and security of all our customers.
We also reached out to Razer for comment. Shortly after this article was published, a Razer representative confirmed the information previously published, and added that concerned customers can send questions to DPO@razer.com.
Razer and the cloud
One of the things that Razer is well known for—besides their hardware itself—is requiring cloud access for anything related to that hardware. The company offers a unified scheduling system, Synapsewhich uses a single interface to control all of a user’s Razer gear.
Until last year, Synapse wouldn’t work—and users couldn’t configure their Razer gear, for example change the resolution of the mouse or the back button—without logging into a cloud account. Current versions of Synapse allow locally stored profiles for Internet use and what the company refers to as “Guest Mode” to bypass the cloud access.
Many players are annoyed by relying on a cloud account for setting up an app that doesn’t seem to be really improved by its presence. Their pique is understandable, because the cloud functionality around us comes with cloud vulnerabilities. Last year, Razer for him a single HackerOne user, s3cr3tsdn, 28 separate awards.
We thank Razer for offering and paying bug bounty, of course, but it’s hard to forget that those vulnerabilities wouldn’t have been there (and used globally), if Razer hadn’t properly connected their device’s performance to the cloud in the first place. place
Why is it burning like this word
It’s easy to respond casually to data leaks like this. The information exposed by Razer’s illegal Elastisearch cluster is private—but not like the data exposed at Ashley Madison crime Five years ago, the shopping involved was probably not going to end anyone’s marriage. No passwords in the transaction data were leaked, either.
But dancing like this is important. Attackers can and do use data like that leaked here to increase the effectiveness of their scams. Armed with accurate details of customers’ recent orders and physical and physical email addresses, the attackers had a good shot at convincing Razer employees and those customers’ social media to give up passwords and /or credit card details.
In addition to the usual email privacy scenario—a message that looks like an official communication from Razer, with a link to a fake login page—attackers can cherry-pick a leaked database for high-value transactions. and call those customers by phone. “Hello, $your_name, I’m calling from Razer. You ordered the Razer Blade 15 Base Edition at $2,599.99 on $order_date…” is an effective lead to get the customer’s exact credit card number on the same call.
It burns and the crimes don’t go away
According to the Identity Theft Resource Center, publicly reported data breaches and leaks are bottom Thirty three percent so far, year on year. (The IDTRC defines leaks like Razer’s as violations “caused by human or system error.”) This sounds like good news—until you realize that it also means multiple violations per day, every look like.
While the number of crimes is down this year—most likely, according to the IDTRC, due to hyper-vigilance security by companies suddenly faced with remote work needs on an unprecedented scale—the number of scams is not. Attackers also use breaches or leaked data for semi-targeted privacy and authentication material attacks for years after the actual contract.
Reduce your threat profile
As a consumer, there is unfortunately little you can do about companies losing control of your data once they have it. Instead, you should focus on reducing the value of your data centers first—for example, no company should have a password that can be used with your name or email address to log into an account at another company. You may also wonder if it really is need to create new, cloud-based accounts that initially contain personally identifiable information.
Finally, consider how privacy and social engineering attacks work and how to guard against them. Avoid clicking on links in email, especially links that ask you to sign in. Note where those links go—most email clients, whether programs or web-based, will allow you to see where a URL goes by hovering over it without clicking. Also, keep an eye on the address bar in your browser — the MyFictitiousBank login page, however legitimate it appears, is bad news if the URL in the address bar is DougsDogWashing.biz.
Image listing by Jim Salter