Personal information of Zotac customers out in the open due to faulty server configuration
Zotac, a manufacturer of high-performance graphic cards and mini PC solutions, dropped the ball and made a huge mistake. By simply entering the right search query in Google Search, all kinds of personal information of both corporate and consumer purchases were visible.
In a YouTube video Gamers Nexus demonstrates what happens if you enter a search query like ‘RMA site:zotacusa.com’. The first result is a personal email address and a RMA approved claim.
The same method could be used to find invoices, credit memos, consumer warranties, corporate and consumer acquisitions. In other words, personal information and business data was publicly accessible, including names, shipping addresses, phone numbers, order histories, purchases, prices, order and invoice numbers, chat logs and screenshots.
In some cases financial information such as tax numbers, banking numbers, payment method and the last few digits of credit cards was visible.
What exactly happened? It basically comes down to this: all the files customers uploaded to Zotac’s site were stored on Google’s public web servers, making them searchable.
A customer reached out to Zotac, who then removed his personal information. But the issue wasn’t resolved at large. That is, until Gamers Nexus got involved. The channel informed the Hong Kong-based tech company and several businesses about the issue, who in return contacted Zotac. And within a few hours the problem was fixed.
At the moment of writing, digital documents can still be searched and found, but they’re no longer accessible. When clicking on a URL, a dead link screen appears. To remove them from Google’s cache, click on the three dots on the Google Search Engine Result Page (SERP) and submit a takedown request.
Zotac disabled the upload button on its website until the company is able to properly fix the issue. In addition, customers also have to send emails with attachments to a separate inbox. Lastly, the company changed the server configuration so that personal information is no longer publicly displayed.
Your email address will not be published. Required fields are marked