Razer data leak – Experts Reaction

Researcher Bob Diachenko reports gaming hardware giant, Razer Inc. recently experienced an incident exposing customer emails, phones, shipping and billing addresses and more online. Cybersecurity expert reacted below.

Experts Comments

September 15, 2020
Chloé Messdaghi
VP of Strategy
Point3 Security
It’s obvious that some three weeks passed between the time a hacker came across the misconfigured database that revealed user PII, and the time it got fixed. It’s likely that when the researcher contacted Razer with the info on the data leak, that red flag may have been passed around internally before landing in the lap of someone who knew who to give the red flag to. Three weeks is a long time for this kind of fix. Every company should have a vulnerability disclosure and/or bug bounty.....Read More
It’s obvious that some three weeks passed between the time a hacker came across the misconfigured database that revealed user PII, and the time it got fixed. It’s likely that when the researcher contacted Razer with the info on the data leak, that red flag may have been passed around internally before landing in the lap of someone who knew who to give the red flag to. Three weeks is a long time for this kind of fix. Every company should have a vulnerability disclosure and/or bug bounty program. It also needs to ensure that whenever anyone contacts any employee about a vuln or bug, whether through Twitter or an incoming email to a sales or marketing contact, every employee knows who to route this information to, so the vuln is fixed in a more timely way. A “go-to” for all software vulnerabilities is critical. Hackers are regularly contacting companies via twitter or support email address to advise them of vulnerabilities, and these people are doing a service for the company. Companies must provide known, go-to channels to quickly move these alerts, and they should also take steps to protect hackers who discover such vulns and bugs because hackers are trying to prevent attackers conducting any malicious acts. Even better: companies can and should set up a specific email address that hackers can use to disclose a vulnerability, and respond with thanks to any member of the hacker community who’s actively trying to help them, because every leak enables their customers to be spear-phished.  Read Less
September 15, 2020
Saryu Nayyar
CEO
Gurucul
The breach of Razer's database doesn't appear to have revealed any vital user information and they remediated the issue fairly quickly, but even non-vital information can be of value to an attacker. Knowing what a user purchased, and when, can be all a clever attacker needs to formulate a convincing phishing or social engineering attack. While some data points are "more sensitive" than others, a skilled social engineer can pull even small pieces into a picture they can use against their.....Read More
The breach of Razer's database doesn't appear to have revealed any vital user information and they remediated the issue fairly quickly, but even non-vital information can be of value to an attacker. Knowing what a user purchased, and when, can be all a clever attacker needs to formulate a convincing phishing or social engineering attack. While some data points are "more sensitive" than others, a skilled social engineer can pull even small pieces into a picture they can use against their target.  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.