Computer hardware manufacturer Zotac inadvertently exposed Return Merchandise Authorization (RMA) requests and related documents online, compromising sensitive customer information for an unknown duration.
The cause of the issue was the misconfiguration of the web folders containing RMA data, which led to search engines indexing affected folders, making them accessible through Google Search.
The exposure appears to stem from insufficient permissions restricting access to authorized users only, such as Zotac employees, and the absence of tags or a 'robots.txt' file to instruct web crawlers to exclude the sensitive folders, according to BleepingComputer.
Google Search queries using people's or company names alongside the 'zotacusa.com' site parameter could reveal personal information, including invoices, addresses, request details, and contact information.
The security lapse, affecting an unspecified number of Zotac customers, was initially discovered by a viewer of the YouTube tech channel GamersNexus. The channel reported the breach late last week on X (formerly Twitter), without initially naming Zotac.
GamersNexus informed several of Zotac’s major partners to raise awareness about the data exposure. Remedial actions are currently underway, with the majority of the private documents no longer publicly accessible.
GamersNexus eventually contacted a Zotac spokesperson, who confirmed that the company had disabled the document upload feature on their RMA portal. Customers are now instructed to email files accompanying their requests as an interim solution.