Gaming hardware manufacturer Zotac has been found leaking return merchandise authorisation (RMA) requests and related documents online for an unknown period. The discovery was made by a viewer of the YouTube Channel GamersNexus. The channel reported the leak later on X without naming Zotac and then disclosed more details in a YouTube video.

The issue lay in misconfigured web folders that hold RMA data, causing them to be indexed by search engines. Consequently, search terms containing individuals’ or companies’ names alongwith the “zotacusa.com” site parameter revealed personal information in the form of invoices, addresses, request details, and contact information.

A spokesperson from Zotac informed GamersNexus that they had disabled the document upload button on their RMA portal and now require customers to email the relevant documents along with their requests. Most of the leaked data has now been secured, and most of the private documents leaked aren’t accessible via Google Search anymore.

With the help of a viewer, we have discovered a major breach of privacy at a hardware vendor whereupon GN was able to download customer personal information, addresses, phone numbers, and also business-to-business invoices & orders. The company has not replied to GN. We have 1/3
— GamersNexus (@GamersNexus) July 5, 2024

However, some data might still appear in search engine queries. GamersNexus also stated that it reached out to some of Zotac’s partners to raise awareness about the data breach, especially considering its sensitive nature and to “back-channel a fix for the issue” before announcing it on X.

However, this measure only stops more data from leaking. For customers who have used Zotac’s RMA service at any point before the time of writing, the assumption should be that their related documents and any information in them have been leaked. Since Zotac wasn’t aware of the misconfigured web server, the exposure duration is unknown; hence, there are no safe RMA dates at the moment. This also applies to the number of customers affected.

This isn’t the first instance of a hardware manufacturer using inadequate security measures to secure sensitive documents like receipts on their RMA portals. However, the ease with which Zotac’s files were accessible to the public shows a complete lack of effort to protect data on channels not frequently seen by the general public.

In the News: Chinese state-sponsored APT40 can exploit flaws within hours