Razor gaming company source code, encryption keys, database and network credentials hacked

Following a buyer on a hackers’ forum offering stolen data for US$100,000 (S$134,898) in bitcoin on Saturday, it is believed that gaming gear manufacturer Razer has had a data breach.\The company said in a statement on Twitter that it is looking into the possibility of a data breach and is aware that one may have occurred. The data that was being sold includes the source code and back-end access logins for Razer’s website and the items that the company sells.

This included folders that were labeled zVault, which referred to Razer’s digital wallet that was introduced in March 2017 and eventually made way for Razer Gold in December 2018; in addition, this featured folders that purportedly included encryption keys and data related to its reward system. The supposed e-mail addresses of consumers having virtual credit in their Razer Gold accounts were also shown in the sample. The buyer said that the vendor had 404,000 accounts, however this information could not be confirmed.

The data was offered for sale on the hackers’ site, where the vendor said that he would only sell it to a single buyer for the asking price of one hundred thousand dollars in Monero cryptocurrency. However, he emphasized that he would be willing to consider proposals that were lower than the sum that was specified. According to the website for the cryptocurrency, transactions made using Monero are kept secret.  It is more difficult to determine whose wallet supplied or received the money since users of the cryptocurrency are shielded from identification by design, and information pertaining to transactions is not publicly disclosed. A spokeswoman for Razer said, “We have been made aware of a potential breach and are currently investigating.” When questioned if the personal information of customers, such as their credit card numbers, had been taken, and whether this data breach was connected to the one that company experienced in 2020, the official stated, “We have been made aware of a potential breach.”

A server misconfiguration led to the disclosure of the personal and shipping information of about 100,000 Razer customers located throughout the globe during the prior data incident. Razer filed a claim for damages against its IT provider, Capgemini, alleging that the security breach was caused by a former employee of the latter company who disabled the security settings of a computer system by adding a “#” command to a line of code.

Because of this, information that was saved in the system became accessible to the general public between the dates of June 18, 2020 and September 10, 2020. On December 9, 2022, the High Court determined that Razer was entitled to damages of $6.5 million USD.However, on Monday, attorneys for Capgemini filed an appeal arguing that the company should pay just minimal damages to Razer rather than the whole sum. They based their argument on the fact that Razer had failed to take action despite receiving five separate warnings from a cyber-security expert about the breach.

As of now Razer has reset all member accounts, invalidating their active sessions and requesting them to reset their passwords.