Computer hardware maker Zotac has exposed return merchandise authorization (RMA) requests and related documents online for an unknown period, exposing sensitive customer information.
Zotac, known for its range of compact and mini PCs, high-performance graphics cards, motherboards, and computer accessories, has misconfigured the web folders that hold RMA data, resulting in them being indexed by search engines.
This is typically the result of inadequate permissions that restrict access to authorized users only, aka Zotac’s employees, and the lack of tags or a ‘robots.txt’ file that would instruct crawlers to exclude the sensitive folders.
As a result, Google Search queries containing people’s or company names along with the ‘zotacusa.com’ site parameter revealed personal information such as invoices, addresses, request details, and contact information.
The lapse, which impacts an unknown number of Zotac customers, was discovered by a viewer of the YouTube tech channel GamersNexus. The channel reported the leak late last week on X without naming the hardware vendor.
Meanwhile, GamersNexus informed some of Zotac’s largest partners to raise awareness about the sensitive data exposure, and remediation efforts are underway.
The YouTube channel revealed the culprit was Zotac USA via a video published yesterday after receiving a response from the firm.
Most of the data has now been secured, though they still appear in Google Search. That said, most of the private documents are no longer publicly accessible.
GamersNexus eventually reached a spokesperson from Zotac, who told them that they had disabled the document upload button on their RMA portal and now ask customers to email files accompanying their requests.
If you have used Zotac’s RMA service at any point, you should consider your personal information exposed and take precautions as needed to mitigate the risk. Since the duration of the exposure is currently unknown, there are no “safe” RMA dates.
BleepingComputer has contacted Zotac to learn more about the data exposure, but a statement wasn’t immediately available.