Skip to content

Zotac exposes customer RMA info on Google Search

  • by
  • 2 min read

Gaming hardware manufacturer Zotac has been found leaking return merchandise authorisation (RMA) requests and related documents online for an unknown period. The discovery was made by a viewer of the YouTube Channel GamersNexus. The channel reported the leak later on X without naming Zotac and then disclosed more details in a YouTube video.

The issue lay in misconfigured web folders that hold RMA data, causing them to be indexed by search engines. Consequently, search terms containing individuals’ or companies’ names alongwith the “” site parameter revealed personal information in the form of invoices, addresses, request details, and contact information.

A spokesperson from Zotac informed GamersNexus that they had disabled the document upload button on their RMA portal and now require customers to email the relevant documents along with their requests. Most of the leaked data has now been secured, and most of the private documents leaked aren’t accessible via Google Search anymore.

However, some data might still appear in search engine queries. GamersNexus also stated that it reached out to some of Zotac’s partners to raise awareness about the data breach, especially considering its sensitive nature and to “back-channel a fix for the issue” before announcing it on X.

However, this measure only stops more data from leaking. For customers who have used Zotac’s RMA service at any point before the time of writing, the assumption should be that their related documents and any information in them have been leaked. Since Zotac wasn’t aware of the misconfigured web server, the exposure duration is unknown; hence, there are no safe RMA dates at the moment. This also applies to the number of customers affected.

This isn’t the first instance of a hardware manufacturer using inadequate security measures to secure sensitive documents like receipts on their RMA portals. However, the ease with which Zotac’s files were accessible to the public shows a complete lack of effort to protect data on channels not frequently seen by the general public.

In the News: Chinese state-sponsored APT40 can exploit flaws within hours

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: