Security researchers today revealed that Razer, Inc., a global gaming hardware manufacturing company, e-sports and financial services provider, left thousands of customers’ order and shipping details exposed on the web without password via a misconfigured server. The exposed information includes full name, email, phone number, customer internal ID, order number, order details, billing and shipping address. The exact number of affected customers is yet to be assessed as originally it was part of a large log stored on a company’s Elasticsearch cluster misconfigured for public access since August 18th, 2020 and indexed by public search engines. Based on the number of the emails exposed, researchers estimate the total number of affected customers to be around 100K.
Leaving a database publicly accessible, unprotected without even a password, is a preventable yet common cause behind massive data leaks. In fact, breaches caused by cloud misconfigurations in 2018 and 2019 exposed nearly 33.4 billion records in total. If accessed by bad actors, the sensitive information exposed from Razer’s Elasticsearch database is more than enough fodder to launch targeted phishing attacks, engage in account takeover fraud, or even make a quick profit by selling the data on the dark web.
To avoid cloud misconfigurations, companies need to immediately shift toward a new model of security that provides continuous controls and enforces secure configurations of cloud services, instead of attempting to do so only after a breach has occurred. Organizations need a security solution that provides the automation essential to enforce policy, reduce risk, provide governance, impose compliance, and increase security across a large-scale, hybrid cloud infrastructure. Automation takes the headache out of making cloud infrastructure secure in a shared responsibility world by providing a framework for what organizations should be doing via a continuous, real-time process. By leveraging security automation, companies can stay agile and innovate while maintaining the integrity of their technology stacks and applying the unique policies necessary to operate their businesses.