A custom gaming controller maker has exposed thousands of sensitive data online.

The data breach affects Scuf’s employees, as well as over one million of its customers.

The accessed information includes names, email addresses, redacted payment data, and more.

A subsidiary of Corsair that sells custom gamepads for PS4, Xbox, and PC platform called “Scuf Gaming” left an unprotected database online. The security incident has resulted in the exposure of sensitive data belonging to customers of the company and its staff, and even of internal API keys. The discovery was the work of security researcher Bob Diachenko, who figured that the first indexing on BinaryEdge happened on April 2, 2020. Scuf Gaming was notified the next day, and they took down the database in less than two hours.

Still, this was long enough for automated bot crawlers to locate the unprotected database and leave a ransom note demanding 0.3 BTC. The note states that the data has already been downloaded onto the actor’s servers, but that doesn’t seem to be the case, as no wiping ever happened. A Corsair spokesperson told Comparitech that the actors didn’t have the time to encrypt or delete the data stored in the database, so they couldn’t have managed to download them either.

The unprotected database contained customer and employee information, ranging from entries created in 2017 until today. The following data was exposed:

1,128,649 customer data records containing full names, email addresses, billing addresses, shipping addresses, phone numbers, and order histories.

customer data records containing full names, email addresses, billing addresses, shipping addresses, phone numbers, and order histories. 991,478 customer data records containing payment details, including order numbers, partial credit card numbers, credit card expiration dates, order amounts, and transaction IDs.

customer data records containing payment details, including order numbers, partial credit card numbers, credit card expiration dates, order amounts, and transaction IDs. 754 SCUF Gaming staff records, including usernames, full names, encrypted passwords, email addresses, user roles, and session IDs.

SCUF Gaming staff records, including usernames, full names, encrypted passwords, email addresses, user roles, and session IDs. 144,379 records with repair order details.

records with repair order details. An undefined number of records concerning internal API keys.

While no full credit card details have been exposed, the data left unprotected online would be enough for fraudsters, scammers, phishing actors, etc. Whatever piece of information someone is holding would be a lever to use for the elicitation of more data. So, if you’ve bought a custom game controller from Scuf Gaming, or if you have sent a product to their service department, bear in mind that scammers may try to trick you. Also, keep an eye on your bank account activity just in case something weird pops up.