The cluster contained records of customer orders and included information such as item purchased, customer email, customer (physical) address, phone number, and so forth—basically, everything you'd expect to see from a credit card transaction, although not the credit card numbers themselves. The Elasticseach cluster was not only exposed to the public, it was indexed by public search engines.

I must say I really enjoyed my conversations with different reps of @Razer support team via email for the last couple of week, but it did not bring us closer to securing the data breach in their systems.

Until last year, Synapse would not function—and users could not configure their Razer gear, for example change mouse resolution or keyboard backlighting—without logging in to a cloud account.

It's easy to respond dismissively to data leaks like this.

The information exposed by Razer's misconfigured Elastisearch cluster is private—but unlike similar data exposed in the Ashley Madison breach five years ago, the purchases involved are probably not going to end anyone's marriage.

Attackers can and do use data like that leaked here to heighten the effectiveness of phishing scams.

Armed with accurate details of customers' recent orders and physical and email addresses, attackers have a good shot at impersonating Razer employees and social engineering those customers into giving up passwords and/or credit card details.

In addition to the usual email phishing scenario—a message that looks like official communication from Razer, along with a link to a fake login page—attackers might cherry-pick the leaked database for high-value transactions and call those customers by phone.

You ordered a Razer Blade 15 Base Edition at $2,599.99 on $order_date..." is an effective lead-in to fraudulently getting the customer's actual credit card number on the same call.

According to the Identity Theft Resource Center, publicly reported data breaches and leaks are down thirty-three percent so far, year over year.

Attackers reuse breached or leaked data for semi-targeted phishing and credential stuffing attacks for years after the actual compromise.

Instead, you should focus on minimizing how much of your data companies have in the first place— for example, no one company should have a password that can be used with your name or email address to log in to an account at another company.