Razer says it is still investigating an alleged breach involving its virtual gaming credits platform, Razer Gold, after hackers claim to have stolen source codes and encryption keys, among others.
The gaming peripheral maker had conducted a “thorough review” of all its websites and taken “all necessary steps” to secure its platforms, a spokesperson told ZDNET in a statement Tuesday. “Razer is still in the midst of investigations. Once investigations have concluded, Razer anticipates that we will report this matter to the relevant authorities.”
Headquartered in Singapore and California, the company said it was alerted on Sunday to the potential breach impacting Razer Gold, which credits can be used to purchase games and in-games features for more than 42,000 titles.
Details in Razer’s statement had remained largely unchanged since news of the breach surfaced this past weekend. The spokesperson did not directly respond to ZDNET’s list of questions, including how many customers were impacted, where these customers were located, and whether details of the alleged stolen data were legitimate.
A post surfaced on a hacker forum on Saturday claiming to have stolen a multitude of data, including source codes, encryption keys, backend access logins, and database for “Razer.com and its products”. As proof, the hackers included screenshots of the alleged breach, listing folders that appear to contain, among others, API details, merchant vouchers, and payment channels.
The hackers are looking to offload the entire set of data for $100,000 in Monero cryptocurrency, though they are willing to negotiate a sale for less.
DataBreaches.net, which was among the first to break the news on Saturday, said in a followup post Monday that it communicated with a Jabber account alleging to be the hackers, who said they had yet to receive offers for the data.
The hackers said they did not make contact with Razer and had no intention to extort the company. Asked how they carried out the breach, the hackers said they stole access and gained Bitbucket credentials. They then cloned the repository.
DataBreaches.net said it was unable to verify the authenticity of the Jabber account, but said it “seems likely” the individual was the hacker.
In such instances involving stolen data, hackers operate like “stereotypical criminals selling stolen jewelry out of their coat pockets”, said Satnam Narang, Tenable’s senior staff research engineer. “These cybercriminals seek the best possible deal, but are willing to compromise on price and are focused on expediency because, even though the stolen data is valuable, possession of such data comes with the likelihood of law enforcement action,” Narang said in a note commenting on the alleged Razer breach.
He added that all organizations were at risk of data security attacks, especially companies such as Razer that are dominant players in their field.
Phillip Ivancic, Synopsys Software Integrity Group’s Asia-Pacific head of solutions strategy, noted that the alleged breach involved source code, which underscored an important but “often overlooked” area of concern.
Apart from their commercial value as intellectual property, source code can be analyzed offline to identify potential exploits and plan for further attacks, Ivancic said. Access to source code enables cybercriminals to establish an intimate understanding of any underlying vulnerabilities, providing them with the information they need to create malicious attacks to exploit these software holes, he added.
He urged organizations to pay special attention to their software development environments where source code is maintained and safeguard their CI/CD (Continuous Integration/ Continuous Development) pipeline.
Razer suffered a data breach in 2020 when an employee of its IT vendor Capgemini was found to have misconfigured the implementation of an ELK (Elasticsearch, Logstash, Kibana) stack for the gaming company, disabling the security settings.
The Singapore High Court in December awarded Razer $6.5 million in damages, but Capgemini has filed an appeal to pay “nominal damages” for the breach. The consulting firm argued that Razer failed to mitigate its losses from the breach due to its delay in responding to repeated warnings about an unsecured database.