Peripheral Specialists Razer are as popular as they are and have lots of personal information! And thanks to a “misconfigured Elasticsearch cluster”, these details – including home addresses – sat around openly for several weeks and weren’t even password protected.
How Ars Technica The cluster was reportedly found last month by security researcher Volodymyr Diachenko, and it meant details like emails, home addresses and phone numbers were not only publicly available but were even indexed by search engines.
Diachenko reported the cluster to Razer, but his emails were “processed by non-technical support managers for more than three weeks until the instance was protected from public access”.
After Razer discovered the details on August 18, he fixed them on September 9 and sent Diachenko – who was about the cluster on his …Linkedin Side – a statement:
We were made aware of a server misconfiguration by Mr. Volodymyr which may have revealed order details, customer and shipping information. No other sensitive information such as credit card numbers or passwords were disclosed. The server misconfiguration was fixed on September 9, before the bug was posted. We would like to thank you, sincerely apologize for the mistake, and have taken all necessary steps to correct the problem and conduct a thorough review of our IT security and systems. We continue to strive to ensure the digital security of all of our customers.
While the nature of the cluster meant it was difficult to get an exact number of affected accounts, Diachenko estimated it would be “around 100,000” based on the email addresses.