Zotac server misconfig exposed customer info to Google searches — customer RMA documents are available on the open web

Zotac Gaming wallpaper
(Image credit: Zotac)

The investigative journalists at Gamers Nexus uncovered a serious and troubling data leak at Zotac, a company already in FTC crosshairs for its warranty practices. Tipped off by a viewer, the team learned that documents related to Return Material Authorization (RMA) requests were publicly available on the web and had even been indexed by Google. These documents contained full names, telephone numbers, email and mailing addresses, and more. 

Zotac's Big Mistake | Consumer Warranty & Business Data Exposure - YouTube Zotac's Big Mistake | Consumer Warranty & Business Data Exposure - YouTube
Watch On

The viewer discovered this leak when doing his own due diligence to see what information came up when he Googled his name. Surprisingly, he discovered a document he had uploaded to Zotac as part of an RMA return. He promptly notified both Zotac and Gamers Nexus. 

While Zotac immediately removed access to that individual’s attachment, Gamers Nexus quickly discovered how widespread and serious the leak was. It discovered RMA attachments from consumers, including emails and spreadsheets containing those people’s personal information.

Other documents included corporate invoices to businesses like Micro Center, iBuyPower, and others. In at least one case, a document contained what was either an Employer Identification Number or Social Security Number. Gamers Nexus swiftly emailed Zotac of their findings as well as several of the business-to-business customers involved.

While Gamers Nexus did not immediately identify Zotac to the public, they did post a message to X (formerly known as Twitter) on July 5 to timestamp how long it took the company to begin addressing the issue. The good news is that it didn’t take long.

As of this writing, searching for “RMA Zotac” does still list hundreds of PDF and Excel documents submitted to Zotac’s RMA and warranty web page. However, the links now lead to dead links, likely because Zotac corrected the misconfigured file permissions for that directory.

Zotac also temporarily removed the “upload attachment” button from its RMA form. Until the company’s web developers can properly fix the issue, Zotac will be asking customers to email their documentation instead of using the online portal.

Some information can still be gleaned from Google’s cache, though, which is problematic. Since Zotac has not taken measures yet to deindex that directory with Google, the search engine results pages still list bits and pieces of information. We were able to find several customers’ mailing addresses this way.

If you have ever filed an RMA with Zotac, you should Google search your own name along with Zotac’s and perhaps RMA. If you find anything containing your information, click the three dots in the top right of the result to request Google remove the page from its search results.

TOPICS
Jeff Butts
Contributing Writer

Jeff Butts has been covering tech news for more than a decade, and his IT experience predates the internet. Yes, he remembers when 9600 baud was “fast.” He especially enjoys covering DIY and Maker topics, along with anything on the bleeding edge of technology.

  • USAFRet
    Routinely, we are admonished to safeguard our personal data. 2FA, VPN, password vault, etc, etc,.

    And also routinely, the companies and organizations we give this data to screw it up completely.
    Reply