According to the YouTube channel Gamers Nexus, over 600,000 customer warranty claims for MSI products were publicly accessible via Google search. MSI, a leading computer hardware and peripherals manufacturer, had exposed data that included sensitive information such as names, addresses, phone numbers, and specific order details.
The breach was discovered following a tip from a viewer who informed Gamers Nexus about 90 days’ worth of warranty data visible on MSI’s server. Further investigation revealed that the exposed data dates back to 2017. By entering specific search terms, such as “msi rma webserver intranet,” users could access MSI’s intranet portal, containing lookup tables of warranty requests.
According to Gamers Nexus, in addition to all the exposed personal information, the portal where these warranty claims were found allowed users to resubmit warranty requests, request tracking information, and access detailed MSI responses and failure causes.
“It doesn’t require hacking to get here,” Gamers Nexus stated. “All we did was type in MSI RMA into a search engine, and we found this page.”
Gamers Nexus demonstrated the availability of publicly visible warranty claims, including one from Asmongold’s company (a popular gaming streamer), Star Forge Systems. This raised concerns about the potential misuse of the data for fraudulent activities.
In response to the discovery, Gamers Nexus promptly notified MSI, and the company blocked access to the web server. However, they chose not to seek a statement from MSI, arguing that the severity of the breach spoke for itself. “There’s just no excuse,” the channel remarked. “It is a massive vulnerability for consumers.”
Since the video exposed the URL of the said database, Stack Diary confirmed that search engines like Google and Bing have removed almost all of the results from this now-inaccessible domain name. However, we did find some search engines that still showed dozens of cached copies of these warranty claims:
The implications of this data exposure are significant. Considering that the data dates back to 2017 and that the most recent warranties in the video Gamers Nexus made were from June 2024, that’s seven years of personal data exposure for hundreds of thousands of customers.
Cybercriminals could exploit the information for identity theft, phishing scams, or other fraudulent activities. The detailed knowledge of customer purchases and warranty issues would allow scammers to craft compelling and targeted attacks. For example, scammers could pose as MSI representatives and request customers to pay for non-existent upgrades or repairs.
Since MSI has not made a public announcement, we’ve asked them to confirm that this data wasn’t scraped en masse. We will update this article once we know more.
This incident follows a similar lapse at Zotac, where individual documents, including RMA applications, were visible via Google searches. In comparison, MSI’s breach involved a fully accessible and well-organized database, which could be easily scraped.
