Earlier this month, SCUF Gaming, a manufacturer of high-end gaming controllers for PC, Xbox and PS4 announced a security incident that left the personal information more than 1 million customers exposed online.
On April 1, security researcher Bob Diachenko discovered that a database on one of SCUF Gaming’s servers was freely accessible online without authentication or password. On April 2, the company was notified and immediately began to investigate and seal off further unauthorized access.
During the investigation, the company stumbled upon a note left by cybercriminals who had allegedly exfiltrated the data.
“Your Database is downloaded and backed up on our secured servers. To recover your lost data, Send 0.3 BTC to our BitCoin Address and Contact us by eMail.”
The data breach notification posted on SCUF Gaming’s official website states that “This issue was specific to one system, being operated off-site due to work-from-home precautions resulting from the current COVID-19 pandemic. It contained a database used for customer orders, returns and repairs, along with other non-sensitive customer information. We immediately took action to close off this access.”
It appears that the database contained both employee and customer information spanning 3 years, including:
• Full names, email addresses, billing addresses, shipping addresses, phone numbers, and order histories for 1,128,649 customers
• Payment details, including order numbers, partial credit card numbers, credit card expiration dates, order amounts, and transaction IDs for 991,478 customers
• Usernames, full names, encrypted passwords, email addresses, user roles and session IDs for 754 SCUF Gaming employees
• Repair order details for 144,479 customers
• Undisclosed number of API Keys
The company is now informing all affected parties and has started a security audit to make sure its systems and databases remain secure.
What is the risk?
Although the company reassures customers that “there is no risk of exposed customers’ full credit card numbers, credit card CVV numbers, scufgaming.com user names, encrypted customer passwords, or any card information for orders processed via PayPal or other payment methods,” bad actors can still use the stolen information in many ways. Personal identifiable information is enough for fraudsters and scammers to deploy sophisticated phishing attacks or impersonate you, ultimately leading to fraud. If you find yourself among the victims, remain calm and anticipate your risks.
Be aware that scammers can contact you using your email address and phone number. They can send you a phishing email appearing to be from the company and ask you for additional financial or personal information. Keep an eye out for unsolicited emails in your Inbox, and do not provide additional data that could help criminals paint the full picture. It’s also a good idea to monitor your bank account for suspicious activity.
Data breaches happen daily, and most Internet users have been or will become a victim in the near future. The aftermath is what matters and that’s where we really need to focus our energy – stopping cyber thieves from capitalizing on our data.