
Zotac's Big Mistake - Consumer Warranty & Business Data Exposure
video description
Date: 2024-07-07
Related videos
Comments and reviews: 20
DigitalJedi
I'm not the original tipster to GN, but I also stumbled upon this around the same time after looking around for the Zotac RMA form for a friend. I broke the news on the Zotac subreddit after spending some time on the phone with a Zotac support person about it where I was passed aroud the chain until I was eventually handed to somebody higher up. I'm not going to go into detail about that call, as everything you need to know is already in this video.
I was able to scrape everything named here easily for hours before anything was done. If I were trying to be malicious, I could have feasibly downloaded enough to cause some serious damage for a couple dozen to maybe a hundred people at least. I'm not going to do that, let me be perfectly clear, but there was that kind of stuff floating around for several hours. I saw at least 7 different home addresses.
Based on what I've seen online in this breach, this could be disastrous for those people. There was some not just identifiable, but identity theft level information out there for some of them. At the very least, all of your emails have almost certainly been scraped into some database.
If you have had an RMA or other contact with Zotac, do what you can to secure everything right now. Some people are going to want to be canceling cards from their bank.
reply
I'm not the original tipster to GN, but I also stumbled upon this around the same time after looking around for the Zotac RMA form for a friend. I broke the news on the Zotac subreddit after spending some time on the phone with a Zotac support person about it where I was passed aroud the chain until I was eventually handed to somebody higher up. I'm not going to go into detail about that call, as everything you need to know is already in this video.
I was able to scrape everything named here easily for hours before anything was done. If I were trying to be malicious, I could have feasibly downloaded enough to cause some serious damage for a couple dozen to maybe a hundred people at least. I'm not going to do that, let me be perfectly clear, but there was that kind of stuff floating around for several hours. I saw at least 7 different home addresses.
Based on what I've seen online in this breach, this could be disastrous for those people. There was some not just identifiable, but identity theft level information out there for some of them. At the very least, all of your emails have almost certainly been scraped into some database.
If you have had an RMA or other contact with Zotac, do what you can to secure everything right now. Some people are going to want to be canceling cards from their bank.
reply
SaiMorphX
set .htaccess with an index(html|htm|php|whatever) file, you can add a rewrite rule to htaccess to keep crawlers from a directory, but they may not follow it, but you need to change some settings, and if you can do that, might as well add the rule to the server, you should also have a robots.txt file...
Honestly, never expose that server path, even tot he client. use php, python, whatever your server is running and serve the pdf files remotely, and write custom error catching, so the error doesn't expose the path.
I've been building web sites for over 25 years for myself mostly but a somewhat newb IT/Webmaster should know basic server setup, even folders can have permissions: chmod -v 0750 grants the owner read, write, and execute permissions, the group read and execute permissions, and denies any permissions to others
reply
set .htaccess with an index(html|htm|php|whatever) file, you can add a rewrite rule to htaccess to keep crawlers from a directory, but they may not follow it, but you need to change some settings, and if you can do that, might as well add the rule to the server, you should also have a robots.txt file...
Honestly, never expose that server path, even tot he client. use php, python, whatever your server is running and serve the pdf files remotely, and write custom error catching, so the error doesn't expose the path.
I've been building web sites for over 25 years for myself mostly but a somewhat newb IT/Webmaster should know basic server setup, even folders can have permissions: chmod -v 0750 grants the owner read, write, and execute permissions, the group read and execute permissions, and denies any permissions to others
reply
Lowkeh
14:15 - That rep's reaction was absolutely glorious!
Thank you. I'm glad you got that down and shared it with us.
__
(: Some military history nerdery below)
Kinda reminds me of WW2 US Navy's head honcho Fleet Admiral Ernest J. King (of infamous temper and having little-to-no patience for pencil pushing bureaucrats) once he found out about Bureau of Ordnance's mind-boggling 2-year-long negligence/incompetence regarding the Mark 14 torpedo.
Sufficed to say, Mr. Perpetually Angry NavyBoss-guy went to have a little chat with BuOrd, and thuslike Steve aptly put it: shortly after that conversation, things, uh, got set into gear..., finally.
It's incredibly unfortunate that the actual talk wasn't transcripted/recorded, because, oh boynow, there's a boss encounter I'd love to see a VoD of.
reply
14:15 - That rep's reaction was absolutely glorious!
Thank you. I'm glad you got that down and shared it with us.
__
(: Some military history nerdery below)
Kinda reminds me of WW2 US Navy's head honcho Fleet Admiral Ernest J. King (of infamous temper and having little-to-no patience for pencil pushing bureaucrats) once he found out about Bureau of Ordnance's mind-boggling 2-year-long negligence/incompetence regarding the Mark 14 torpedo.
Sufficed to say, Mr. Perpetually Angry NavyBoss-guy went to have a little chat with BuOrd, and thuslike Steve aptly put it: shortly after that conversation, things, uh, got set into gear..., finally.
It's incredibly unfortunate that the actual talk wasn't transcripted/recorded, because, oh boynow, there's a boss encounter I'd love to see a VoD of.
reply
acuteaura
When I worked as platform engineer at a large retailer we had a bucket for uploading public data, mostly product shots that was used by business people; it was literally called -public. One day we audit the thing because we heard a rumor business people have started using it as some sort of data exchange drive, and found a bunch of internal financial data. Fortunately these people weren't handling customer data directly; this was just after GDPR took effect. We walked over to the divisions office and found out that no, naming a bucket public doesn't communicate that it's the ENTIRE public and not just people in the office. We took away access from most people that day and told regular old IT that these people needed some sort of sharepoint access... which they didn't have.
reply
When I worked as platform engineer at a large retailer we had a bucket for uploading public data, mostly product shots that was used by business people; it was literally called -public. One day we audit the thing because we heard a rumor business people have started using it as some sort of data exchange drive, and found a bunch of internal financial data. Fortunately these people weren't handling customer data directly; this was just after GDPR took effect. We walked over to the divisions office and found out that no, naming a bucket public doesn't communicate that it's the ENTIRE public and not just people in the office. We took away access from most people that day and told regular old IT that these people needed some sort of sharepoint access... which they didn't have.
reply
WizardTim
Censoring and removing sensitive information from documents requested by those companies particularly when part of the RMA process generally isn't going to work. The service representatives are often trained to refuse documents that have been manipulated in any way for fraud prevention, demonstrating to them you have the know how to edit documents is just asking for trouble. I've tried doing this in the past blacking out stuff or watermarking documents so I know who's data breach it comes from. But most of the time they refuse to accept it or just completely ghost me.
reply
Censoring and removing sensitive information from documents requested by those companies particularly when part of the RMA process generally isn't going to work. The service representatives are often trained to refuse documents that have been manipulated in any way for fraud prevention, demonstrating to them you have the know how to edit documents is just asking for trouble. I've tried doing this in the past blacking out stuff or watermarking documents so I know who's data breach it comes from. But most of the time they refuse to accept it or just completely ghost me.
reply
Thermalions
I can imagine the service agent removed the file/s of the 'initial' affected customer, but wouldn't (or at least shouldn't) have any permissions to make changes to fix the issue. Best they could do was flag it up internally. Given the delay in responding it sounds like there is no internal process to flag security issues, rather the issue probably just landed in someone's inbox mixed in with dozens of other emails (the recipient may even have been on leave).
reply
I can imagine the service agent removed the file/s of the 'initial' affected customer, but wouldn't (or at least shouldn't) have any permissions to make changes to fix the issue. Best they could do was flag it up internally. Given the delay in responding it sounds like there is no internal process to flag security issues, rather the issue probably just landed in someone's inbox mixed in with dozens of other emails (the recipient may even have been on leave).
reply
atranimecs
dear lord, a hacker definitely would exploit this before it was found...easy pickin's, sorry if you bought a ZOTAC product folks, it looks like the company is going to be sued by a large amount of corporations, ZOTAC will probably sue their third-party contractor for storing the data, in an insecure matter and you may not see any compensation from the class action.
reply
dear lord, a hacker definitely would exploit this before it was found...easy pickin's, sorry if you bought a ZOTAC product folks, it looks like the company is going to be sued by a large amount of corporations, ZOTAC will probably sue their third-party contractor for storing the data, in an insecure matter and you may not see any compensation from the class action.
reply
MaxiTB
Well, that's a clear GDPR violation. Incompetence is not covered in the exception clause and depending on the scale this can result in an up to 10% revenue fine over the span of the offsense.
So if you are customer in Europe, you should file an GDPR data discover request right now - even foreign countries have to apply to your laws when they do business in the EU.
reply
Well, that's a clear GDPR violation. Incompetence is not covered in the exception clause and depending on the scale this can result in an up to 10% revenue fine over the span of the offsense.
So if you are customer in Europe, you should file an GDPR data discover request right now - even foreign countries have to apply to your laws when they do business in the EU.
reply
anth5189
We must place governments in power that will institute new laws to stop these companies collecting ANY data from customers and make it illegal to force anyone to have unnecessary accounts. Any accounts if they don't want to have one. The penalties need to be much higher for breaches, like f-ing life in prison.
reply
We must place governments in power that will institute new laws to stop these companies collecting ANY data from customers and make it illegal to force anyone to have unnecessary accounts. Any accounts if they don't want to have one. The penalties need to be much higher for breaches, like f-ing life in prison.
reply
pirojfmifhghek566
THANK YOU for doing your due-diligence and reporting this in an ethical way. If something like this went on blast before they took any steps to fix it, that information would've been immediately scraped by so many bad actors before the rest of us could even finish watching the video.
reply
THANK YOU for doing your due-diligence and reporting this in an ethical way. If something like this went on blast before they took any steps to fix it, that information would've been immediately scraped by so many bad actors before the rest of us could even finish watching the video.
reply
user78405
i think zotac is trolling amd fanboys with proof of amazing sales data that nobody buying amd cards...ZERO AMD GPU's SOLD ...vs NVIDIA ...over $110k worth of sales ...thats shocker in given day....and bad part MSI no longer making anymore future amd gpu's ...they terminated amd partnership
reply
i think zotac is trolling amd fanboys with proof of amazing sales data that nobody buying amd cards...ZERO AMD GPU's SOLD ...vs NVIDIA ...over $110k worth of sales ...thats shocker in given day....and bad part MSI no longer making anymore future amd gpu's ...they terminated amd partnership
reply
namelastname8D
There's this thing in EU and UK called GDPR...
Basically if a company holds personal data of its customers it has to guarantee that data is safe because if it leaks to the internet it will face a fine of 10% of it's annual income.
Poor zotac... We will keep you in our hearts.
reply
There's this thing in EU and UK called GDPR...
Basically if a company holds personal data of its customers it has to guarantee that data is safe because if it leaks to the internet it will face a fine of 10% of it's annual income.
Poor zotac... We will keep you in our hearts.
reply
Worthless.
when customer tells zotac about the security issue : things don't move at all
when GN tells zotac about the security issue: things moved pretty quickly
sad that zotac basically said, 'fk off' when the customer let them know about it...
def gonna stay the fk away from zotac
reply
when customer tells zotac about the security issue : things don't move at all
when GN tells zotac about the security issue: things moved pretty quickly
sad that zotac basically said, 'fk off' when the customer let them know about it...
def gonna stay the fk away from zotac
reply
brucerosner3547
I'm astounded all this fuss about exposing user data. As near as I can tell everyone who has ever entered their name into a computer has already lost all privacy. Your name, address, date of birth, marital status, children, parents, etc all are public information.
reply
I'm astounded all this fuss about exposing user data. As near as I can tell everyone who has ever entered their name into a computer has already lost all privacy. Your name, address, date of birth, marital status, children, parents, etc all are public information.
reply
Imagine.Breaker
Oof
Linus and luke were just talking last wan show about how good a reputation zotac had built lately.
Thankfully this was addressed (addressed not fixed, i don't think this can be simply fixed), still, it feels like this could have been easily prevented.
reply
Oof
Linus and luke were just talking last wan show about how good a reputation zotac had built lately.
Thankfully this was addressed (addressed not fixed, i don't think this can be simply fixed), still, it feels like this could have been easily prevented.
reply
NecroFlex
If you could, you know, accidentally make the schematics public, by mistake, so that the repair shops, which totally shouldn't have these schematics, can have an easier time repairing GPUs, but not with these schematic obviously, that would be great.
reply
If you could, you know, accidentally make the schematics public, by mistake, so that the repair shops, which totally shouldn't have these schematics, can have an easier time repairing GPUs, but not with these schematic obviously, that would be great.
reply
jonkeau5155
That’s called skipping past the department manager trying to cover his ass and going straight to the board through their business partners. It gets done real quick when the top finds out what their underlings are hiding and money is involved.
reply
That’s called skipping past the department manager trying to cover his ass and going straight to the board through their business partners. It gets done real quick when the top finds out what their underlings are hiding and money is involved.
reply
torkilsd
Thats the moment where european laws just start to lube up your butthole.
European data protection laws are not a joke anymore. The fines are designed to hurt.
So if any european customer is now exposed on this, he can just sue zotac....
reply
Thats the moment where european laws just start to lube up your butthole.
European data protection laws are not a joke anymore. The fines are designed to hurt.
So if any european customer is now exposed on this, he can just sue zotac....
reply
Normanby
Insecure Direct Object Referencing / Broken Access Control = Currently #1 in the OWASP Security Risks.
Authentication who are you , but Authorisation = what you are allow to view once logged in.
Seams like they failed at both :(
reply
Insecure Direct Object Referencing / Broken Access Control = Currently #1 in the OWASP Security Risks.
Authentication who are you , but Authorisation = what you are allow to view once logged in.
Seams like they failed at both :(
reply
RyanLBC
holy hell. should i be afraid to rma my zotac 4090 with them lol. it randomly started to give me the black screens of death after almost two years of ownership/EDITED nevermind i went back to the 9:02 mark on the video. thanks Steve!
reply
holy hell. should i be afraid to rma my zotac 4090 with them lol. it randomly started to give me the black screens of death after almost two years of ownership/EDITED nevermind i went back to the 9:02 mark on the video. thanks Steve!
reply
Add a review, comment
Other channel videos















