Get all your news in one place.
100’s of premium titles.
One app.
Start reading
Tom’s Hardware
Tom’s Hardware
Technology
Jeff Butts

Zotac server misconfig exposed customer info to Google searches — customer RMA documents are available on the open web

Zotac Gaming wallpaper.

The investigative journalists at Gamers Nexus uncovered a serious and troubling data leak at Zotac, a company already in FTC crosshairs for its warranty practices. Tipped off by a viewer, the team learned that documents related to Return Material Authorization (RMA) requests were publicly available on the web and had even been indexed by Google. These documents contained full names, telephone numbers, email and mailing addresses, and more. 

The viewer discovered this leak when doing his own due diligence to see what information came up when he Googled his name. Surprisingly, he discovered a document he had uploaded to Zotac as part of an RMA return. He promptly notified both Zotac and Gamers Nexus. 

While Zotac immediately removed access to that individual’s attachment, Gamers Nexus quickly discovered how widespread and serious the leak was. It discovered RMA attachments from consumers, including emails and spreadsheets containing those people’s personal information.

Other documents included corporate invoices to businesses like Micro Center, iBuyPower, and others. In at least one case, a document contained what was either an Employer Identification Number or Social Security Number. Gamers Nexus swiftly emailed Zotac of their findings as well as several of the business-to-business customers involved.

While Gamers Nexus did not immediately identify Zotac to the public, they did post a message to X (formerly known as Twitter) on July 5 to timestamp how long it took the company to begin addressing the issue. The good news is that it didn’t take long.

As of this writing, searching for “RMA Zotac” does still list hundreds of PDF and Excel documents submitted to Zotac’s RMA and warranty web page. However, the links now lead to dead links, likely because Zotac corrected the misconfigured file permissions for that directory.

Zotac also temporarily removed the “upload attachment” button from its RMA form. Until the company’s web developers can properly fix the issue, Zotac will be asking customers to email their documentation instead of using the online portal.

Some information can still be gleaned from Google’s cache, though, which is problematic. Since Zotac has not taken measures yet to deindex that directory with Google, the search engine results pages still list bits and pieces of information. We were able to find several customers’ mailing addresses this way.

If you have ever filed an RMA with Zotac, you should Google search your own name along with Zotac’s and perhaps RMA. If you find anything containing your information, click the three dots in the top right of the result to request Google remove the page from its search results.

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.