Data belonging to about 100,000 Razer customers was exposed online through a misconfigured server, according to an independent security consultant. The data was saved in an Elasticsearch cluster log chunk which was configured to allow public access. Additionally, the sensitive data was indexed by public search engines, thus discoverable through a basic online search. Volodymyr “Bob” Diachenko, the security expert renown for unearthing exposed cloud databases, said that he also faced challenges in reporting the data leak.
The information exposed in the Razer’s data leak
The data leak exposed personal and transaction details including full name, email, phone number, customer internal ID, order number, order details, billing, and shipping address.
Diachenko said it was difficult to estimate the total number of affected customers. However, based on the number of the emails exposed, he estimated the figure to be around 100,000.
Razer’s exposure is an example of preventable yet common massive data leaks that erode public trust in cloud databases. Such breaches also provide valuable data for attackers to launch targeted phishing attacks against unsuspecting customers.
For example, scammers could use the information to pose as Razer employees or affiliated companies. They could trick the victims into clicking on phishing links or downloading malware. Similarly, the cybercriminals could sell the information on the dark web for a quick profit or use it for account takeover.
Commenting on Razer’s data leak, Anurag Kahol, Bitglass CTO, says that “leaving a database publicly accessible with customer information is, unfortunately, a common occurrence, yet it is one of the more basic security risks to prevent. Moving forward, organizations must take a more proactive and holistic approach to cloud security in order to identify and remediate misconfigurations and ensure sensitive data is secured.”
Razer responds to customers’ data leak
Razer sealed the data leak on August 9, 2020, before it was made public. The eSports and financial services provider also acknowledged the massive data leak in a statement sent to Diachenko. The response came after several unsuccessful attempts to contact the company by the consultant. It took about three weeks to reach the right people at Razer as Diachenko’s messages always ended up in the non-technical support managers’ inbox.
Razer also clarified that only the personal, orders, and shipping details were exposed in the data leak. Other sensitive information such as passwords or credit card numbers were not exposed. The gaming hardware manufacturer also said that it would scrutinize its IT security policies following the incident.
Misconfigured cloud databases security concerns and mitigations
Accessing misconfigured cloud databases is a trivial task even for individuals lacking advanced technical skills. Anyone could have accidentally stumbled upon Razer’s data through a basic online search.
Simple configuration faux pas are a major threat to sensitive information stored in cloud databases. Between 2018 and 2019, cloud misconfigurations were responsible for the leaking of about 33.4 billion records. The high volume of data exposed from cloud databases indicates a lack of proper data security policies within the affected organizations.
This situation proves the importance of adopting the new model of security that relies on the secure configuration of cloud databases and continuous controls, rather than reacting to breaches. Companies should adopt security automation solutions that enforce policy, impose compliance, and manage the security of cloud databases holistically at the infrastructural level.
Automation lifts the responsibility of cloud security from individuals, thus removing the headache associated with the management of cloud infrastructure security configurations. Instead, it creates a framework that ensures that organizations remain compliant by following simple security practices.
On his part, Kahol advised organizations to implement “multi-faceted solutions that enforce real-time access control, detect misconfigurations through cloud security posture management, and encrypt sensitive data at rest.” He also recommended the implementation of strict data-sharing policies to prevent leakages, thus ensuring the privacy and the security of the sensitive information stored in cloud databases.