Developer Michael Lynch returned a disk drive to supplier goHardDrive after finding a flaw in its Return Merchant Authorization (RMA) process that he claimed could have accidentally published thousands of customer details. The reseller responded by improving access control, and later disabling the lookup feature entirely to mitigate the risk.
The goHardDrive business is a direct-to-consumer disk and SSD sales operation based in La Puente in the greater Los Angeles area, California, with its own website and sales also made through e-commerce sites such as Amazon, eBay, Newegg and Walmart. It says it focuses on quality of services and lowest prices, “specializing in providing computer-related excess inventory, manufacturer-closeouts, high-demand and unusual computer components and peripherals at highly-discounted prices to you!”
Lynch claims that “goHardDrive Leaked Personal Data for Thousands of Customers“ based on his own experience. He returned three purchased disk drives to the etailer, two of which were dead-on-arrival, using its RMA procedure, getting a 5-digit RMA number. He used this to check the status of his return and the website window showed this along with his name, postal address, email address, order number and date, products being returned and the reason for their return. It would also have included his phone number but he had not provided that. So far so good.
But he repeated the check, mistyping the last digit of his RMA number, and says he got another customer’s RMA details. Lynch notes that the RMA check form was “public and had no authentication, rate limits, or CAPTCHA.”
“It would be trivial to write a script that sends an HTTP GET request replacing 12345 with every number from 00001 to 99999 and scrapes the personal details of every goHardDrive customer who had requested a return.”
Lynch says he “emailed goHardDrive about this issue on May 21, 2025. To their credit, they responded within two hours to acknowledge the issue and confirm that they would deploy a fix within three to five business days.” The firm altered their RMA form to require customers to enter their postal (ZIP) code and house number before fetching any details.
This was insufficient to deter any determined hacker, he adds, noting there are ~42k valid ZIP codes and the majority of house numbers “are likely to fall in the range of 1 to 100.” He calculates that “the worst case is that an attacker has to try about 42k x 100 = 4.2M possible combinations to leak details associated with an RMA number. Optimizing by common ZIP codes and house numbers probably means the attacker has >50 percent chance of success after about 50k guesses.”
He “followed up with goHardDrive to tell them that I thought the new mitigations were insufficient.” The RMA status page should not reveal any customer details, only the RMA status. As a result goHardDrive removed “the RMA status check from their website entirely” and said “customers could just email them for status updates.”
Lynch says there is no goHardDrive bug bounty but the etailer “refunded $20 of my $330 purchase as a thank you.” He also complains about the firm’s general RMA procedure in his blog.
There’s no evidence that anyone besides Lynch used the alleged flaw to obtain other customers’ personal details.
A goHardDrive spokesperson told us: “The article’s title suggests a large-scale customer data leak, which we believe is misleading. There was no confirmed data breach or compromise. The assumptions made in the article were based on guesswork involving our RMA number sequence. Additionally, the RMA website is completely separate from our shopping cart platform and does not store any credit card or sensitive payment data. It is used strictly for processing product returns.
“In reality, fewer than 1 percent of our customers use the RMA website. Most customers reach out to us directly via email for returns or RMA status updates. Moreover, the majority of our customers are from platforms like Amazon and eBay, where returns are managed by those marketplaces themselves, limiting any direct interaction with our RMA system or contact us directly via email.
“We do appreciate Michael’s efforts in identifying a potential vulnerability in our RMA status lookup tool. In response, we promptly added verification fields (Street Name and ZIP Code) to improve access control. Ultimately, we decided to disable the lookup feature entirely, as it was rarely used (approximately 10~20 searches per month) and posed unnecessary risk.
“We’ve been in business for over 17 years and always strive to deliver excellent service while safeguarding our customers’ data. Although our RMA database never stored sensitive information like credit card details, we take all concerns seriously and are grateful that this issue was brought to our attention. As a small reseller business, we are not a software company; feedback like this helps us improve.”
