Zotac's Big Mistake | Consumer Warranty & Business Data Exposure
Вставка
- Опубліковано 21 лип 2024
- Sponsor: NZXT C1500 Platinum PSU on Amazon geni.us/KvKlUi
Zotac was hosting customer RMA files, business-to-business transactions, invoices, bill of lading memos, credit memos, customer Amazon order history, chat logs, email logs, and addresses and phone numbers in a way which was publicly discoverable through Google. In fact, a Google search simply of "Zotac RMA" (without even using a site flag) would surface private customer emails and contact information within 1 page, sometimes 2. We notified Zotac urgently and withheld reporting until the company removed access to as many of these files as possible. The rest remains cached, but there are tools to try and get it removed for affected users. Zotac has fixed the basics, so we felt comfortable to publish.
SUPPORT OUR REPORTING DIRECTLY! Grab a GN CyberSkeleton V2 T-shirt: store.gamersnexus.net/product...
Like our content? Please consider becoming our Patron to support us: / gamersnexus
TIMESTAMPS
00:00 - Zotac Issues
01:31 - Wrong Server Setup
03:14 - How Bad Was It?
05:55 - A Viewer's Discovery
09:02 - What YOU Should Do
10:24 - Public Service Announcement
12:42 - Zotac's Response
** Please like, comment, and subscribe for more! **
Links to Amazon and Newegg are typically monetized on our channel (affiliate links) and may return a commission of sales to us from the retailer. This is unrelated to the product manufacturer. Any advertisements or sponsorships are disclosed within the video ("this video is brought to you by") and above the fold in the description. We do not ever produce paid content or "sponsored content" (meaning that the content is our idea and is not funded externally aside from whatever ad placement is in the beginning) and we do not ever charge manufacturers for coverage.
Follow us in these locations for more gaming and hardware updates:
t: / gamersnexus
f: / gamersnexus
w: www.gamersnexus.net/
Steve Burke: Host, Writing, Video Editing
Tim Phetdara: Pre-Cut Editing - Ігри
Grab a GN shirt to support our work! store.gamersnexus.net/products/limited-edition-foil-cyberskeleton2-cotton-tshirt
If you haven't seen it, go check out our Noctua NH-D15 G2 review! Super in-depth/technical benchmarking, tons of fun: ua-cam.com/video/heriTDWIU2g/v-deo.html
Or our positive review of the Antec C8 ARGB case: ua-cam.com/video/yJAq2H52A2A/v-deo.html
The digital rib shirt idea... genius genius. Coolest tech merch shop
Thanks for the hard work!
new here. What shampoo do you use? 100%
What happened with the EK story.
Are the per-ordered shirts still going to wait until mid September to ship?
if googles bots have crawled the pages... other bots have too, this wil be impossible to scrub/remove from the internet.... good job Zotac
Yep, just like any leak, it's out there somewhere.
The files are still accessible by prepending "cache:" to the URL.
I have a bunch of Web Archives available for getting around certain things, Google cache is only 1
I was still able to find two URLs. They were dead, granted, but the customers' emails still shows up in the stub under the link. All popped up before this video
Funny, I was going to say something similar in the original community post earlier.
If the scrapers can see it, it's wide open to anyone. Meaning others might already have chanced upon it in the past as well, and just kept mum.
Zotac 💩🛌
Ironic that this is the first time in a decade that Google search results have actually given something relevant.
Honestly at one point I remember during Tests in my Youth
If i had a 'Fix the grammatical error in this online test' (not exams. Just practice ones)
I litereally could google half the sentence and find the official Word Document on google that held the complete lines and correct answers
and '100% Be accurate'
I did tell my teachers that
Torched. Absolutely crispified.
Google and UA-cam are Garbage.
Savage.
Zotac's Big Mistake.
Rejected titles: Zotac's Terrible, Horrible, No-Good, Very Bad Day
i doubt they'll face any consequences for this
Zotac's oopsie poopsie
@@JasonMendoza-hd3ce Yeah, just a finger wag from consumers will be the worst of it
“Zotac: Mistakes Were Made” ~MVG
@@michael5654CEOs. Consumers ain't the ones that are in the wrong here.
We're at a point where companies receiving a message from GN should just respond with:
"Sh!t, what did we do? We'll fix it immediately."
it only matters to most of them when the people paying them start threatening legal action/major loss of revenue.
which is sad.
this is a great. this is what all inveestigative journalism should aspire to be. i consider GN to be the gold standard.
GN should just send out fake email for them all to say they been cought, and see how they react.
Classic fishin trick.
@@kenabithis is a case that could result in legal action or a loss of potential future revenue if they didn't act quickly
Well they cannot say they were not warned
The warning is why it got somewhat fixed so fast! Glad to see that at least.
@@GamersNexus True but like you said ...still needed more than a customer pointing it out and even yourselves having to get some companies involved lol
@@EastyyBlogspot exactly. the security@ email address should always work. And we know for a fact: at Asus it doesn't. Zotac is apparently so-so, I can readily believe ordinary support employees to not care to redirect such questions to level 2.
This type of thing happened on the State of Missouri's web site. The idiot governor tried to prosecute the reporter who wrote about it, claiming he was a hacker. This is a basic web/server design and management problem. Don't "upskirt" yourself when setting up your site.
It should be basic step 1, assume anything in the path the server uses CAN be accessed by anyone. Absolutely mental to store sensitive information inside the path the web server can serve, its usually called public_html for a reason.
naturally the governor of a stink hole wants to prosecute the press for revealing government ineptitude
If you can, link please.
@@arthurmoore9488 it was widely reported. Pick a couple search terms from the op's comment, and you'll find everything you need.
It happened in Spain last month too. The traffic administration had all the information about every driver in the country open in the web, and it was scrapped at least twice in six months. And the worst thing is that they knew it because months before it got public due to the second breach, they were prosecuting the teen that scrapped it first.
Thanks for looking out as always, dudes. So much blatant carelessness and irresponsibility smh. It’s a million wonders there’s not more id theft and fraud than there already is.
Yep. No one gives a fuck anymore.
@@RATTL3R186 they really don’t, man. It’s almost depressing when you think about how all of this is just basically the new normal.
I’ve said it before and I’ll say it again, from toilet paper manufacturers to PC hardware manufacturers and everything in between, all companies should strive to be as great as Chewy pet supplies 😂
@@dark_matt3r_new? hahaha
They cant steal our money if we dont have any
Steve Lehto mentioned you briefly today about warranty void stickers. Always cool when the channels I sub to somehow come together. :)
That's awesome! I'll check it out. The FTC has been aggressive lately on warranties and consumer rights with them.
The Steve Cabal!
Ah good!
ahh I used to watch that dude, abit out of my lane these days though. I bet he still totally loves Mobile homes ;P
@@samiraperi467 or multisteverse
The B2B stuff could lead to so many easy scams. Baffling.
Misconfigured settings are a pretty big deal. Especially when mishandling customers PII. Possibly a potential lawsuit, but at minimum they should just admit they f*cked up. You'd be surprised what you can find on search engines with the right dorks.
Agreed. The SolarWinds hack was a default password. This is that level of negligent, or possibly worse. For a web crawler to find the individual PDFs there had to be an index it could crawl.
True but it was multiple security lapses that caused this. The first was a permissions issue, the second is that they were storing the individual files individually and unencrypted. Even if they had encrypted said files, because they are storing them individually it means hackers would still be able to glean information from the file names / existence of said files on servers. They need to further obfuscate the files themselves in addition to encrypting any user submitted data.
"You'd be surprised what you can find on search engines with the right dorks." - Additionally, you'd be surprised at how forgiving people can be when you admit you messed up and show that you're trying to do better. If you refuse to admit that you messed up, though, the backlash can be immensely more powerful.
@@giglioflex "True but it was multiple security lapses that caused this" - Even more important than what you mentioned, the ultimate issue is lack of authentication to access that data. Also, lack of (or misconfigured) robots.txt file.
Unfortunately if they publicly admit to it they would open themselves up to a a guaranteed lawsuit. Even if they're sued this way there's at least some way out of it, but not if they admit the mistake.
I was a bit worried when I saw the OG post about this issue, get to breathe a little sigh of relief finding out that it's a company I literally have not even once interacted with. It's a good day.
I...
I always thought they were a knockoff company. Lucky me.
I bought their 3070 when GPUs were hard to come by. ended up getting an Aorus Master same week and sold the 3070. I feel lucky for once.
Same anytime someone said get a zotac I laughed and said if I can't afford an EVGA I can't afford this GPU@@radicalindividual7774
I have a zotac graphics card, and have had no issues with it at all, so this does not affect me personally. But since the world does not revolve around me personally, this is not a good day for the company, or for anyone potentially affected by this.
@@radicalindividual7774 WTF, knockoff company that sells GPUs. That's kind of dumb statement. Like, what would they do ? Give you a RTX 3060 die in a RTX 4080.
I kinda feel left out that I never got attempted scams from a Russian oil refineries and only ever used to get boring old Nigerian princes.
They get sent to business addresses constantly, not so much to private individuals.
I had one from the Secretary General of the United Nations once 😂
At least they fixed it in less than 15 hours after GN posted it lol
From a cyber security standpoint, literally pulling the plug on the server is better than this level of data breach. The more difficult part is getting Google and other search engines to take down copies, while knowing they'd never get them all.
Also, reminder that GN said they contacted Zotac's partners too. They lost major corporate customers from this.
@@arthurmoore9488 that or Zotac might have had to make very painful promises to those clients which would have cost them a lot. The people responsible for this in SRE/DevOps (what used to collectively be called "IT") likely are facing termination.
It was too late days ago.
Back in the day, Zotac denied me an RMA of a GTS 250 "For not having registered it in the first XX days". I haven't bought anything from them since... so I'm glad to see them suffering.
Depending on the warranty and your country/state that's illegal. Of course, nothing happens... :(
Eh, registration probably wouldn't have helped. They refused my RMA on a 1070, because they couldn't "find" my registration or something. After 3 mails I gave up. It felt like shit during the mining craze.
Here in Norway, it's not mandatory to send in registrations for equipment you buy, but you do need to provide proof of purchase in case of dispute. A copy of the original sales receipt with sufficient details to identify the item, seller, date of purchase and amount paid (and preferably also customer name) is enough to file a claim against dealership or importer. The law gives us certain rights to repair or replace an item if it has defects listed in the law.
The minimum period you are entitled to for claims for defects under the law is 2 years, but extended to 5 years for items that are commonly expected to last more than 2 years, such as phones.
@@LarsV62 obviously I provided them the proof of purchase, but "it was not enough" you know?
@@vxvicky Damn stubborn paper pushers... 🙄
8:18 "On the upside for consumers, is *because BUSINESSES were involved,* people cared A LOT, REAL fast; like, as SOON as I started contacting business, it was done and fixed *in 4 hours!* "
It's absolutely DISGUSTING that the only reason that potentially THOUSANDS of files containing sensitive customer information are gone from GOOGLE SEARCHES, is because Steve brought to their (and other affected parties') attention that sensitive BUSINESS information was available in those searches as well. Truly disgusting.
the truth is, people is stupid, they don't understand the gravity of this issue and they will forget in a couble days. Business are not stupid, they don't forget, and they move A LOT of money.
That's the difference.
It is bad, but when you think about it, it makes sense since a business partner is buying in volume and a single customer is just a single purchase. I know it's not an excuse but I think situations like this are always going to be handled differently when it's business-to-business considering the volume of orders versus an any individual customer.
Another factor is that businesses will often have contracts with them and have the means to sue them so legal action is significantly more likely when this happens to a business versus an individual.
Companies are people too! (And some people are more equal than others.)
business partners also typically have direct communication lines with the people that have the power to make shit happen fast, whereas retail customers would have to go through the call center food chain
Don't blame customers for business' lack of morals@@nossiej
Time to bust out the popcorn.
I was just about to comment that...
Or something else
Great detective work as always. The concerning point is that the meta data of invoices is still online. There are emails and some other information of of customers like Natasha. Nawaf Alsarrani etc. visible in the meta data that could be used by scammers. You know what's even worse. You can still open cache pages using "cache:URL" on google. That's just incompetence of the highest level by this brand.
@@Violet-ui💯
This reminds me of what Google search was like in the early years after it went online. It was just mind boggling what you could find, if you knew how to ask. It seemed like no one had secure servers. My friends and I would get drunk and just see what we could find. Stuff like this Zotac situation were commonplace.
We need to get Steve a Grim Reaper costume with how many companies he looms over like the specter of death at this point.
Hah. My head now mixed Terry Pratchett's Death and Steve together as an anthropomorphized Death of Companies. Didn't know I needed that image in my life. Thanks!
Yes, this is what we need for companies to act right
Nah. The more appropriate costume is a white robe with a halo. Instead of being Tech Jesus, Steve is turning out to be the Patron Saint and Protector of tech consumers.
Steve needs a referee outfit, and should start a new channel called “Consumer Ref”. Use the split between content types to help maintain GN’s original identity, allocate more resources to the cause, and even drive up profit for both channels’ content.
Or a "I don't trust you bro" shirt
gamers nexus is basically the better business bureau of the tech industry now
Hard disagree. GN isn't a shakedown scheme. The BBB will remove negative reviews if the company pays them. Same as Yelp. Those reviews are still important, since it costs the company money, but know what they really are doing.
Why would you accuse GN of running a scam?
@@russell2952 I'm sure you thought this was a clever comment to post.
It's amazing how fast companies move when someone further up the ladder's ass is on the line.
Consequences I can think of:
* Customer lawsuit.
* EU fines.
* Possible US fine. (it's that egregious)
* Probably fines from individual US states with privacy laws.
* Loosing major business customers.
* Possible lawsuit for NDA violations from some of those businesses.
* Massive discounts to those businesses who remain.
The question isn't so much if someone is getting fired, but who.
@@arthurmoore9488the company is big enough that responsibility can be distributed wide enough nobody feels the pinch.
If anyone is fired, its just as likely to sometime just following direct orders, and when little to no authority.
Just a general reminder: The cloud is just someone else's computer. Even if you trust them not to be malicious with the data you give them, incompetence can have just as serious if not worse consequences.
And that the cloud isn't here to stay. Companies come and go and so do their temporary "cloud" infrastructure. Just look at video game servers for example.
I just noticed gray in Steve's beard. Fighting big corps ages you fast.
Nah he just leveled up
He's becoming a sage
Also, he doesnt mantain his hair that well... That hair is an absolute mess
"How can we get coverage from GN?" "I Know sir, let's leak all our data!" "PERFECT YOU GET A RAISE BARRY!"
Thanks other Barry!
it's a jill sandwich
And it’s time to complain to the EU for GDPR…
Yup. For real.
"ZotacUSA" domain...
@@VADemon the domain does not matter
@@greenlake_3465 proof that this affected european operations too?
@@VADemon if your website can be accessed from EU countries and you process personal data of individuals within the EU.
Every single time I have redacted any information from an invoice to any company over any RMA, the RMA was rejected. To get the RMA's processed, I had to provide unredacted documents. Now I just weigh the value of the product against the hassle of getting it RMA'd.
Just got my new GN magnets in and this notification popped up. I can't believe you guys put GPS chips in the magnets just so you could pander to me, thank you Steve!
So tempted to get those.
@@Apollo-Computers They're really nice actually! I'm more of a pin-guy so I glued the magnet to a carpet tack. Now they're sitting in my pin board looking pretty
Wow, a bad actor could mask their email using these business emails and fraud zotac. Major privacy issue.
"Helo, we are from mikrosopht souport" 😂
In this day of constant security breaches the incompetence demonstrated by Zotac is astonishing.
Issues about pricing also violate NDA's because wholesalers/warehouses get access to pricing direct from the companies themselves before official release dates. In this case Zotac, but it could be anyone from Nvidia to AMD.
The FTC also just sent letters to Zotac, Asrock & Gigabyte telling them to stop putting "warranty void if removed" stickers on products sold in the US because it's illegal, & to change their warranty policies to reflect that.
Just them? Aren't tons of electronics littered with these stamps?
Schematics? Now I hope to hell someone found this and archived them before they got taken down.
(excluding customer data of course)
Schematics aren't really anything special. When it comes to PC HW you can reverse engineer most stuff in a day or two.
@@Kamtar34 Unfortunately, not. Especially with multi-layer boards. There's a reason Louis Rossmann mentions schematics so much. Even when the boards are simple, sometimes tracing requires removing components, and you can't be sure if a trace is broken or shorted when dealing with a faulty board. Time is money too.
@@Kamtar34 Please if i need to repair something, i'd rather not sacrifice a board or two to taking off everything and sanding through the board for 100 hours and stitching together a lot of pictures, measuring unmarked components, matching topmarks with datasheets, guessing when there isn't a topmark in the datasheet... like it's manageable if you're a cloning operation that counterfeits hardware, or if you're a company who wants to know how your competitor's device works, but for the common usecase it's untenable.
Looks like they use Orcad Capture to draw their schematics.
Its not just improper configuration of the server, its not taking any precautions at all.
These files should never have been stored in a location the web server can serve from directly, avoiding the problem of bad server configuration exposing them. The files should have been stored either in the database or in a folder only a specific script on the server can access, which will only do so if a user is logged in with permissions to do so.
This has NOT been solved, they have merely reinstated security by obscurity again, as solving it would require implementing an actual authentication system so they are not served by the web server directly. The scary thing is, we have no way to know how many businesses are doing exactly this, where merely forgetting to disable indexing on a folder can expose everyones data. Its not good enough, as a bad actor spending enough time may be able to guess filenames and still get some access, it should never be accessible to the web server directly.
Yeah, this is clearly an issue of having no authentication nor authorization systems. Zotac really cheaped out on their website development, or their developer maliciously did this to get customer information to sell.
In the EU: they should have a privacy@ mail address posted on their website - report it there. This case would be a privacy incident which they (as data controller in the sense of GDPR) have to report to their local (/national) data protection authority (within ~72 hours from the moment you notified them). You could also notify the national data protection authority yourself, claiming violation of article 32 GDPR, which is the data controller's obligation to have sufficient technical and organizational (=security) measures in place to prevent such things from happening.
Those 72h are already over, since the viewer that contacted GN already contacted zotac in advance. They also removed their document without fixing everything else, so I'm pretty sure of there is European data in the leaked stuff zotac will have a few really bad weeks upcoming.
@@bastiannenke9613 i meant this informatively for if/when this happens to someone at some future point. Also i doubt Zotac would be fined (unless they are already repeat offenders).
@@VoiDukkha I mean they REALLY fucked that one up on multiple levels and GN basically has proof they tried to ignore the issue. I wouldn't be surprised if there will be a decent fine.
@@bastiannenke9613 nah, that shit happens the time
@@VoiDukkha Not this level. Private files if you know the URI, sure. People have this weird belief that obscurity == security. But it being on Google is a whole other level of f*** up.
I sent my card in for 3 RMAs to them, and they all kept dying. Finally, I got a different model of card, and it has a wack fan on it, and im now out of warranty... but now ig my name and information have been put out there multiple times now as well...
i like the advice on redacting anything that's not required. it reminded me of times when im at the store, buying something or returning something, and they need information about me, and things that aren't related to what I need are requested. In the past i've folded and just shared the information that was asked, but from now on, I'll make up some random nonsense if i feel like it's not required for what i need of the business or company.
I think they need to hire wendall at level 1 tech to go over their server.
Wendell can be summoned via telecom rack!
I was totally expecting Wendell's head to pop up at 6:52
Its not really bad server configuration that is the problem here, it just exposed that their whole file upload system was written poorly. It should never have been storing the files inside the path the web server can access, in order to completely avoid this possibility. Its very basic stuff.
Or Stanley Tweedle 😇
WAN show last night had a passing comment that ZOTAC is probably the biggest they have ever been and "appeared" to have better consumer confidence than ever. 🤦♂️
This after a commenter made a statement suggesting ZOTAC didn't exist anymore.
The company behind Zotac is pretty big anyway. Bigger gpu market share then ie Asus etc.
PC Partner (the company behind Zotac) is big. They have several brands like Inno3D, Manli and Zotac. They also do
Common Linus L
@@elecman748 The real L is people watching it at all, let alone mentioning it here...
@@Skobeloff...that shit has become one big advert 😂
When I worked as platform engineer at a large retailer we had a bucket for uploading public data, mostly product shots that was used by business people; it was literally called "-public". One day we audit the thing because we heard a rumor business people have started using it as some sort of data exchange drive, and found a bunch of internal financial data. Fortunately these people weren't handling customer data directly; this was just after GDPR took effect. We walked over to the divisions office and found out that no, naming a bucket "public" doesn't communicate that it's the ENTIRE public and not just people in the office. We took away access from most people that day and told regular old IT that these people needed some sort of sharepoint access... which they didn't have.
I have lost track of how many Industry issues GN has fixed or put a massive spotlight on at this point. When are you going to do a secret buyer review of LTT's "Just trust me bro" warranty?
You and your team are actually what I would consider to be modern heroes. Honestly, thank you so much for looking out for all of us and helping to keep us informed and safe.
I was expecting ASUS ngl, surprising.
Didn't expect it to be Zotac. Dang.
Thats like saying Didn't expect a company to make a boo boo. All Companies make mistakes
Why, exactly? It's literally just another company like all the other ones.
Their coolers are crappy and they sound like jet engines, stay far away form that brand.
zotac is literally the worst and i own a 3080 ti by them
Why would you not expect it? They're usually a tier below most of the GPU manufacturers cooler quality wise.
Aw shit, here we go again! 😂
Haha, and shop clerks look at me weird when I refuse to give them *any* personal information besides my name when I buy a product :') "Don't you trust us?" Well NO...
They ask you for information 😨
@@viking9442 "But we need your full name, address and phone number so we can register you for the warranty!"
... no, you need my name, you need to print a receipt, and then you are LEGALLY REQUIRED to accept any valid RMA with that receipt.
But well, those poor shop clerks are only doing what they've been ordered to do. Every so often I'll find one who'll nod, reply "yup, you're right, I don't" and be done with it.
As a software developer this is actually wild. You would think that putting stuff like rma data behind authentication would be obvious.
as someone who's done software dev for years and knows basic it sysadmin stuff as well, it's extremely negligent and could've been prevented with maybe 1-2 hours of work. any competent intern with an a+ cert even could've fixed this in a day or two.
Thanks, Steve, for highlighting the lack of precautions taken to protect customers' data. It is important to publicly hold companies accountable; if they are not publicly shamed, nothing will ever change. I know this for a fact. I send an email to a company; crickets. I put them on blast on Twitter, and I get an instant reply.
14:15 - That rep's reaction was absolutely glorious!
Thank you. I'm glad you got that down and shared it with us.
__
(⚠: Some military history nerdery below)
Kinda reminds me of WW2 US Navy's "head honcho" Fleet Admiral Ernest J. King (of infamous temper and having little-to-no patience for pencil pushing bureaucrats) once he found out about Bureau of Ordnance's mind-boggling 2-year-long negligence/incompetence regarding the Mark 14 torpedo.
Sufficed to say, Mr. Perpetually Angry NavyBoss-guy went to have a little chat with BuOrd, and thus-like Steve aptly put it: "shortly after that conversation, things, uh, got set into gear...", finally.
It's incredibly unfortunate that the actual "talk" wasn't transcripted/recorded, because, oh boy-now, there's a boss encounter I'd love to see a VoD of.
Babe wake up, Gamers Nexus is merkin another corporation
Who ran chmod -r 777 on an unauthenticated account?
rm rf! quick!
Honestly, seeing a lot of these leaked business to business exchange documents for myself, I have gained a LOT of sympathy for prebuild providers. The markups AIBs like Zotac have put on them is genuinely insane to me. Normally you expect business to business exchanges to have some kind of bulk discount or markdown. It makes me wonder if this is how the AIBs themselves are being treated by Nvidia and now it is just going downstream. I am just completely flabbergasted because this is not how we would pay for servers at my workplace. We would never pay for a markup.
Ask EVGA how nVIDIA treats them.
There needs to be something similar to the HIPAA law with companies that store consumer information
So sick of all companies leaking information.
Fun fact, in the US companies are allowed to keep your bank account info **forever.**
Not having mandatory data destruction policies for PII is why this happens.
And some in government want websites to have to take in ID data to verify age before accessing social media. Ooof
As far as I can tell, the general definition of "data breach" covers this situation. Usually it's as simple as "if unauthorized access occurrred." This doesn't have to be due to a hardware or software intrusion, and no bad actors need be involved. Depending on who you ask, the definition may even be broader, e.g. "if unauthorized access *may* have occurred" you have had a data breach.
Thanks Steve, This is a great help to All Zotac owners. I almost got an RMA for my 4080 Super just the other day. Now I won't need to worry about something I didn't even know I needed to worry about. Thanks again for your heads up program.
At least they're fixing things. 12 hours after the upload and google results do not show a single result of that sort
Bethesda level of incompetence.
If this happened on my watch, people would be fired 100%. This is gross negligence and not that difficult to prevent. Lots of guides you can find on how to configure nginx. I have tons of publicly accessible web servers that aren't crawled by indexers. Incompetence on multiple levels going almost all the way up.
So true
For those out of the loop: Bethesda got in trouble for something very similar to what's described in this video. If you pre-ordered the Power Edition of Fallout 76, you got a canvas bag that wasn't actually made of canvas. Bethesda was called out on this, and they eventually started making canvas bags after enough public pressure. However, the "claim" tickets for the canvas bag were unsecured and open to public visibility on Bethesda's website, very much like these RMA tickets on Zotac being visible via Google search.
TL;DR - If you requested your canvas bag from Bethesda, you, like the unfortunate Zotac users today, have unintentionally doxxed yourself due to a security issue on the company website.
So Zotac
Duffel Kerfuffle, never forget
Also if you are going to redact anything on a visible document, DO NOT BLUR IT OUT, only use a black box covering the private information. It is very possible to reverse blur to readable quality.
We did for important information. They are black bars. For the rest, that's why we used mosaics in most instances. Anything blurred was just product names out of an abundance of caution.
@@GamersNexus I might be misunderstanding him, but I think they meant that comment as an addendum directed towards other viewers on how to go about redacting information when providing documents to companies. As the PSA portion of the video was addressing - not a criticism of your use of it in the video's examples.
@@cpMetis Yes it was to inform the public more, but I can totally understand how that statement might have been misunderstood. They did it properly in the documents shown in their video.
@@Nextrix the GN reply will help this cut through the noise in the comments at least
LOL. So I just tested it, and the search results are still there, the links are just broken now, someone acted fast to fix their stupid mistake, lol! Great Job as always!
This is one of those things that would make Wendell laugh in depression.
Uh oh-tac
Awesome
Damn.
Fucking up and having internal policy documents set to be too visible is one thing. Not necessarily a good thing, but whatever. You need those accessible to large numbers of employees, and getting a little too generous happens.
But customer information? That is a disaster.
Not all heroes wear capes. GN, the true heroes of the Internet. Love you guys!
Now I see why companies tell you not to post anything personal when corresponding with them because they can't guarantee its protection.
I haven't trusted Zotac since GN themselves exposed a flaw in their 980ti's way back in the day, that they never fixed. I considered them again in the 40 series, but I guess it's back into the NO pile.
Their 3000 series has shit fans like all previous gens. There was a batch of 3070 or 3080 that had just horrible mem temps. Don't know much about 4000 series. It should be fine. Their fans are still shit probably.
What do you think of Palit
I have their 4090, it's a quality product. I had their 2080 before that, also no issues.
@@viking9442 Im a small pc shop so don't get weird on me. I've sold a lot of GPU that were used on mining farms and most of them were cheap pny, gainward, palit. I don't remember if I've had to RMA any of them unlike the bigger brands. Namely zotac, asus and gigabyte. Not many MSI either. Keep in mind that mostly whatever the cheapest was sold the most.
My Zotac 3060 just keeps on giving.
Well this is a fucking nightmare.
Time to set up a "PC companies with bad warranty practices" bingo card
This is one of those situations that can be really helpful for people who struggle with imposter syndrome. Basically everybody's a moron, even people with very important jobs and loads of responsibility. Just do you.
That’s called skipping past the department manager trying to cover his ass and going straight to the board through their business partners. It gets done real quick when the top finds out what their underlings are hiding and money is involved.
There's some routing and account numbers in these files too. Bank accounts and whatnot, unfortunately.
Was looking forward to this. GN bringing the tea and the receipts again.
Well Zotac is just a step above Temu and just below Gigabyte, so not surprised.
Once their wallet is been touched, the problems are magically resolved in record time.
Ironically this might be the only time I can actually google myself and get a hit back. I'll be looking forward to my $2 from the inevitable class action suit.
THANK YOU for doing your due-diligence and reporting this in an ethical way. If something like this went on blast before they took any steps to fix it, that information would've been immediately scraped by so many bad actors before the rest of us could even finish watching the video.
Thank you so much Steve. You're providing a real service with real journalistic integrity
I wonder how long it will take for Google to take down the cached links because at the moment you can still load cached versions of documents even if the site has taken them down.
Louis Rossman was discussing this too I believe. Crazy..
thanks for the reporting.
Gamers Nexus ... Freaking Hero work. Thanks Amigos.
I bought a 2080 Super from the Zotac store, glad I never had to RMA it.
Gamers Nexus, my favorite information and entertainment source :)
There's a reason this is the one youtube channel I've bought merch from!
Same. One and only
oh yikes, I have a zotac RMA from last year, too...
Thanks as always, GN team!
Us government will be very interested in this info... export controls violation bigtime.
Dude, WTF is wrong with tech hardware companies. Not just Zotac but all of them at this point. Why does pressure have to be applied in situations like this?
Many executives do not know how to protect customer data. And for the IT people who speak out, they are usually ignored for cost or laziness among other reasons.
This is why You Guys, and others, are so important, Thanx Guys👍👍
Excellent work Steve and team. Dismaying how poorly our private information is treated though.
Anytime something like this happens, it makes me avoid whatever brand has done it. Even if they're fixing it now, they still let people's data get out due to incompetence.
Especially not knowing what "fix" they implemented. Those files should never have been in a folder the web server could access to begin with, the fix may have just been to rename the folder and disable indexing - which still leaves it open to happening again. We need to know they fixed it properly, which would likely mean completely rewriting the system they are using to manage that folder.
@alexatkin Yup, and the fact that they basically had to have their business threatened in order to "act" proves they don't care about customer safety and privacy really says everything about their practices.
I did the search as I entered the video and clicked the first link and the following links... They all gave me 404's. So I guess they fixed it. Why did GN have to come out with these videos for companies to take responsability for their screw ups? (This message was written before I wacthed the ad spot)
Its always the same with companies. When you have a security issue you basically have 3 options. You get:
- A person that doesnt understand or doesnt care and doesnt forward it
- A person that doesnt care, or downplays it because it was their own fault and theyd rather let everyone suffer than admit or fix their mistake
- A person that knows whats at stake and immediately makes it the highest priority.
Now you can guess where the customers report went. And which person their business partners contacted.
Myself being someone of the third type. Its incredibly frustrating.
One morning you wake up to a Discord DM from a person you never heard of,
"Hey ive been reporting this critical security issue for 3 months and noone is getting back to me"
This is why I give companies as little information as possible, I'm glad I've never dealt with Zotac. I always use a fake name and number when possible and if I ever did have to ship anything I would use a PO box.
I can't believe this is real. How can people in charge of a large company's IT and web infrastructure be this incompetent?
Managers don't consider fully qualified experienced server administrators as a justifiable expense. They sack them and pass the Job onto juniour 2nd line techs who are out of their depth.
Security by obscurity is always a bad idea as it allows this sort of thing to happen. The files were always open to the public, they just assumed nobody would know the filenames - then presumably forgot to disable server indexing so the whole directory listing became visible. They failed the most basic of security precautions, don't have sensitive information where the web server itself can serve directly from in the first place.
@@alexatkin You can't really call it "security by obscurity" when the contents of the directory were found by Google's web crawlers.
Because the decisions about what is *allowed* to be worked on is often made by PHBs that refuse to listen to the experts they themselves hired warning them of very severe issues, instead preferring to focus on meaningless tripe that doesn't help the consumer, partners, or the company.
@@alexatkin The indexing thing is what makes it beyond the pale though. Most servers have directory browsing turned off by default.
*Cracks open a Twisted Tea in this heat.
Perfect timing with this upload 😩Currently I’m 36,000 feet and going 470 mph on my way to Tampa.
That's pretty low and slow
Back in the GTX 460 days, I bought a new one from Zotac. On the box it stated it had a lifetime warranty. 6 years later it failed and since the 460 was EOL, they gave me a 650Ti. Of course I had to show them the original box that clearly stated "Lifetime warranty" as they initially tried to get out of honoring the warranty. After I sent a pic of the box with the POP, they were quick to replace my dead 460. Only time I've dealt with them but it was over a positive one.
Even if Zotac fixes the issue after this video, they refused to fix it before the video, and we shouldn't have to tell them to do their job for them to get it done. Thank you GN!
Looks like all the PDF's are 404 now but some PIA is still indexed on the Google search results like home addresses and names.
Great work Steve, you are making the interwebz a bit safer, and by doing so making tech compagnies rethink their actions, keep up the good work, Sir Steve Protector of the Enthusiasts
Thanks Steve!