Hardware Manufacturer ZOTAC Experiences Security Slip-Up: Customer Sensitive Information from Returns and Exchanges Leaked Online
Brook.X
Hardware manufacturer ZOTAC recently faced a security oversight, as the company's after-sales system's security measures were found to be lacking. This led to sensitive customer information related to returns and exchanges being accessible by Google's crawlers and subsequently appearing in Google search results.
The exposed information includes customer names, telephone numbers, email addresses, and mailing addresses, all of which are considered sensitive. The duration for which this information was exposed remains unclear.
The issue was initially discovered by the tech website Gamers Nexus, whose editor was surprised to find a post-sales request form they had submitted to ZOTAC available on Google search for download.
According to ZOTAC's after-sales process, customers are required to fill out a form with their real information and upload it to ZOTAC's after-sales service system, which is the originating source of the exposed documents.
Under normal circumstances, ZOTAC should have restricted access to the uploaded files, making them accessible only to the after-sales team. However, the security policy deployed on ZOTAC's servers had vulnerabilities, resulting in these files being publicly viewable and downloadable.
In addition to sensitive customer data, Gamers Nexus also discovered invoices from companies like Micro Center and iBuyPower, which also constitute sensitive information but were made public due to ZOTAC's security oversight.
Following the discovery, the website immediately sent security reports to ZOTAC and other affected companies. While Google still lists the after-sales related files from ZOTAC, the files' access permissions have been modified, making them inaccessible directly.
ZOTAC also revised its after-sales service process by removing the upload button that initially required customers to submit electronic forms. Now, customers must send the forms via email to prevent further data exposure online.
LanDian.Net's search for related keywords indicates that a significant number of files were exposed by ZOTAC. Considering Google has indexed several hundred documents, it's possible a vast amount remains unindexed, allowing attackers to download all files via enumeration.
As of now, ZOTAC has not released a detailed statement regarding the security incident, so the exact number of exposed files is unknown. However, given the frequency of after-sales requests, the number of files at risk could be in the tens of thousands.
