In August, security researcher Volodymyr Diachenko discovered a misconfigured Elasticsearch cluster, owned by gaming hardware vendor Razer, exposing customers' PII (Personal Identifiable Information).
The cluster contained records of customer orders and included information such as item purchased, customer email, customer (physical) address, phone number, and so forth—basically, everything you'd expect to see from a credit card transaction, although not the credit card numbers themselves. The Elasticseach cluster was not only exposed to the public, it was indexed by public search engines.
[https://twitter.com/MayhemDayOne?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1300811914050707456%7Ctwgr%5Eshare_3&ref_url=https://arstechnica.com/information-technology/2020/09/100000-razer-users-data-leaked-due-to-misconfigured-elasticsearch/ [twitter.com]] (Link to the tweet from the security researcher.)
One of the things Razer is well-known for—aside from their hardware itself—is requiring a cloud login for just about anything related to that hardware.
Over the last year, Razer awarded [hackerone.com] a single HackerOne user, s3cr3tsdn, 28 separate bounties.
We applaud Razer for offering and paying bug bounties, of course, but it's difficult to forget that those vulnerabilities wouldn't have been there (and globally exploitable), if Razer hadn't tied their device functionality so thoroughly to the cloud in the first place.
Reap those cloud benefits.