https://cdn.vox-cdn.com/thumbor/neTnWMukT56N9IwHxv2I7Nr39dw=/0x0:2040x1360/2420x1613/filters:focal(857x517:1183x843)/cdn.vox-cdn.com/uploads/chorus_image/image/67403602/akrales_181030_3044_0044.0.jpg
Photo by Amelia Holowaty Krales / The Verge

Razer accidentally leaked the personal information for over 100,000 gamers, report says

Email addresses and phone numbers were leaked

by

Razer accidentally exposed over 100,000 gamers’ personal information for close to a month, according to a new report.

Security researcher Volodymyr Diachenko discovered that customer data on Razer’s website was made publicly available on August 18th because of a server misconfiguration. A redacted sample pictured below shows records of orders made on the company’s digital store, exposing personal information including email and mailing addresses, the type of product ordered, and phone numbers. Credit card information was not included.

https://cdn.vox-cdn.com/thumbor/9MVd6wbJFDgVamqHJ_M9Y4xZ20s=/0x0:2232x515/1920x0/filters:focal(0x0:2232x515):no_upscale()/cdn.vox-cdn.com/uploads/chorus_asset/file/21879897/0.png
No credit card information, but customers’ email and mailing addresses were compromised.Image: Volodymyr Diachenko

After discovering the misconfiguration online, Diachenko says he reached out to Razer several times over the span of three weeks before receiving a reply. In a statement sent to Diachenko, the gaming hardware manufacturer acknowledged the server misconfiguration and that the data leak potentially exposed personal information like full names, phone numbers, and shipping addresses for customers. Razer says that “no other sensitive data” such as payment methods were leaked and that it fixed the misconfiguration on September 9th. Razer confirmed the issue in an email to The Verge and said that customers that have any questions about the leak can reach out to DPO@razer.com.

Even though no sensitive payment information was exposed, personal information, including email addresses, can be used for phishing campaigns to obtain further information such as passwords for online accounts or payment details.

Update September 14th, 1:07PM ET: Added a statement from Razer to The Verge.