Another day, another data breach – This time, unsuspecting customers of a gaming controller manufacturer have their privacy exposed online. In all started when a research team from Comparitech revealed the details of a new data breach involving SCUF Gaming – a manufacturer of gaming controllers and other accessories.
Numbering 1.1 million records, the database which was left completely exposed to the public included sensitive details such as customer names, contact information, payment information and employee records among others.
According to the research team, the database was initially indexed by the Binary Edge search engine on April 2nd. Then on April 3, 2020, they found the database after it had been left exposed for not more than 2 days.
Thereupon, they immediately reported the matter to SCUF who took action within a pacy 2 hours. However, by then it had been too late. The database had already been downloaded by malicious actors who left a ransom message along the lines of:
Your Database is downloaded and backed up on our secured servers. To recover your lost data, Send 0.3 BTC to our BitCoin Address and Contact us by eMail.
Here is a full preview of the ransomware note:
This means that all of the customer data contained within the database could be misused to launch social engineering attacks and much more. Furthermore, the employee data could be used for spear-phishing campaigns and hence to eventually gain access to employee accounts.
On the contrary though, a representative of Corsair Components – the parent company of SCUF Gaming – responded stating that,
We also discovered that a bot had connected to the database’s server and placed a ransom note there. We have no evidence that either the bot or any other actor was able to misappropriate customer data.
This issue was specific to one system, being operated off-site due to work-from-home precautions resulting from the current COVID-19 pandemic.”
The bot script […] did not encrypt/delete any data, and was not connected long enough to the server to download the database.
If this is indeed the case, then both the company and its customers may have been saved from the potential impact of the breach.
According to Comparitech, delving into the details of the data, 1,128,649 of these records contained:
- full names,
- email addresses,
- billing addresses,
- shipping addresses,
- phone numbers,
- order histories
991,478 records included the following payment details:
- order numbers,
- partial credit card numbers with the majority of them only showing the last 4 digits limiting their potential misuse,
- credit card expiration dates,
- order amounts,
- transaction IDs
754 SCUF Gaming staff records included:
- full names,
- encrypted passwords,
- email addresses,
- user roles,
- session IDs valid for only 24 hours rendering them useless.
Lastly, 144,379 records contained repair order details.
Nevertheless, both the discovery and patching of this breach was very timely which mitigated its severity but this should be taken as a serious lesson by SCUF gaming to make changes on how they handle their cybersecurity.
To conclude, breaches have been around for a long time and will continue to be if companies do not step up their security measures. These measures, although simple are often neglected and involve things such as encrypting databases, minimizing their exposure to the internet, implementing access control mechanisms to restrict privileged access and using two-factor authentication.
Indeed, both the discovery and patching of this breach was very timely which mitigated its severity but this should be taken as a serious lesson by SCUF gaming to make changes on how they handle their cybersecurity.