MSI’s Massive Security Breach: 600K+ Warranties Exposed

Earlier, motherboard manufacturer Zotac was found to have leaked a significant amount of detailed customer information due to a failure to configure server permissions properly. This oversight allowed search engine crawlers to directly index after-sales request forms, which contained users’ real names, phone numbers, and detailed addresses.

Recently, MSI has been discovered to have experienced an identical security breach. Specific keywords in search engines can easily locate MSI’s after-sales service site, which contains detailed customer information.

Through this after-sales service site, anyone can directly download and export user data submitted to MSI since 2017, including real names, phone numbers, and detailed addresses. Testing revealed that individuals could also resubmit after-sales requests, track detailed information about these requests, access MSI’s responses and fault reasons, and even expose the information of some well-known gaming streamers.

The YouTube channel Gamers Nexus discovered this issue and promptly notified MSI. MSI’s response was rather blunt, blocking access to the relevant servers and even stopping the subdomain resolution.

However, this approach does not completely solve the problem, as some search engines still provide cached data, allowing access to detailed user information through these caches.

Since the issue dates back to 2017, it means that over 600,000 users’ information has been exposed online for seven years. Worse still, MSI’s situation is more severe than Zotac’s, as MSI’s after-sales system can export all data into Excel files.

The security issues experienced by both MSI and Zotac are elementary mistakes, stemming from their failure to configure server permissions, allowing unrestricted access by search engines and individuals. It seems these companies’ security teams have not thoroughly checked their internal infrastructure permissions.