Researcher Bob Diachenko reports gaming hardware giant, Razer Inc. recently experienced an incident exposing customer emails, phones, shipping and billing addresses and more online. Cybersecurity expert reacted below.
Researcher Bob Diachenko reports gaming hardware giant, Razer Inc. recently experienced an incident exposing customer emails, phones, shipping and billing addresses and more online. Cybersecurity expert reacted below.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
It’s obvious that some three weeks passed between the time a hacker came across the misconfigured database that revealed user PII, and the time it got fixed. It’s likely that when the researcher contacted Razer with the info on the data leak, that red flag may have been passed around internally before landing in the lap of someone who knew who to give the red flag to. Three weeks is a long time for this kind of fix.
Every company should have a vulnerability disclosure and/or bug bounty program. It also needs to ensure that whenever anyone contacts any employee about a vuln or bug, whether through Twitter or an incoming email to a sales or marketing contact, every employee knows who to route this information to, so the vuln is fixed in a more timely way. A “go-to” for all software vulnerabilities is critical.
Hackers are regularly contacting companies via twitter or support email address to advise them of vulnerabilities, and these people are doing a service for the company. Companies must provide known, go-to channels to quickly move these alerts, and they should also take steps to protect hackers who discover such vulns and bugs because hackers are trying to prevent attackers conducting any malicious acts.
Even better: companies can and should set up a specific email address that hackers can use to disclose a vulnerability, and respond with thanks to any member of the hacker community who’s actively trying to help them, because every leak enables their customers to be spear-phished.
The breach of Razer\’s database doesn\’t appear to have revealed any vital user information and they remediated the issue fairly quickly, but even non-vital information can be of value to an attacker. Knowing what a user purchased, and when, can be all a clever attacker needs to formulate a convincing phishing or social engineering attack. While some data points are \”more sensitive\” than others, a skilled social engineer can pull even small pieces into a picture they can use against their target.