A subsidiary of Corsair that sells custom gamepads for PS4, Xbox, and PC platform called “Scuf Gaming” left an unprotected database online. The security incident has resulted in the exposure of sensitive data belonging to customers of the company and its staff, and even of internal API keys. The discovery was the work of security researcher Bob Diachenko, who figured that the first indexing on BinaryEdge happened on April 2, 2020. Scuf Gaming was notified the next day, and they took down the database in less than two hours.
Still, this was long enough for automated bot crawlers to locate the unprotected database and leave a ransom note demanding 0.3 BTC. The note states that the data has already been downloaded onto the actor’s servers, but that doesn’t seem to be the case, as no wiping ever happened. A Corsair spokesperson told Comparitech that the actors didn’t have the time to encrypt or delete the data stored in the database, so they couldn’t have managed to download them either.
The unprotected database contained customer and employee information, ranging from entries created in 2017 until today. The following data was exposed:
While no full credit card details have been exposed, the data left unprotected online would be enough for fraudsters, scammers, phishing actors, etc. Whatever piece of information someone is holding would be a lever to use for the elicitation of more data. So, if you’ve bought a custom game controller from Scuf Gaming, or if you have sent a product to their service department, bear in mind that scammers may try to trick you. Also, keep an eye on your bank account activity just in case something weird pops up.