Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

E-Commerce Company Gearbest Leaked User Information

Chinese e-commerce company Gearbest has failed to properly secure some of its databases, thus leaking users’ personally identifiable information (PII), VPNMentor’s researchers have discovered. Gearbest has downplayed the impact of the incident, which it has blamed on an error made by a member of its security team.

Chinese e-commerce company Gearbest has failed to properly secure some of its databases, thus leaking users’ personally identifiable information (PII), VPNMentor’s researchers have discovered. Gearbest has downplayed the impact of the incident, which it has blamed on an error made by a member of its security team.

Highly successful, Gearbest sells electronics and appliances, clothing, accessories, and homeware. Owned by Chinese conglomerate Globalegrow, the company ships to most countries around the world and operates several internationally successful sites.

However, one of the company’s databases, an Elasticsearch cluster, and those belonging to its sister companies were found to be completely unsecured, thus allowing potential hackers to access a broad range of data, including orders, payments and invoices, and information on its customers.

These databases leaked information such as products purchased, shipping address and postcode, and customer name, email address, phone number, order numbers, payment information, IP address, username, address, date of birth, national ID and passport details, and account passwords.

The security researchers say they were able to access a database containing over 1.5 million records, and that sensitive information such as email addresses and passwords was being stored unencrypted, although the company claims to be properly protecting user data.

On top of that, a lot of the information included in the database (such as the IP address) isn’t required when completing the duties of an e-commerce store.

“This is particularly worrying given the current trend towards a more open and honest internet. Services providers across multiple industries, strive to increase transparency for their customers. Gearbest’s shady practices do the opposite,” VPNMentor notes.

The researchers claim that the leaked information allowed them to access Gearbest accounts and make changes to the login information and other data associated with them. Malicious hackers could have abused the data to steal customer identities or perform other operations.

Advertisement. Scroll to continue reading.

With customers from all over the world, some of the leaked data, such as the full content of orders, could prove damaging to users in countries with strict laws.

On top of that, some of the leaked information included URL access to Gearbest’s – and Globalegrow’s – Kafka system, a data management program that allows companies to manage the amount of site data sent through their servers to maintain efficiency and collect big data.

“This kind of access allows malicious hackers to manipulate information, reassign database properties, and even disable entire sections of the company’s server. Depending on the function of each server, this could disrupt data collection, order placement, and stock and warehouse management,” the researchers say.

The researchers claim they have repeatedly attempted to contact both Gearbest and Globalegrow to inform them of the unprotected database, but that they received no response by the time they published their research.

In a statement published after VPNMentor disclosed its findings (complete statement is at the end of the article), Gearbest claimed that only a database associated with external tools used to improve efficiency and prevent data overload was exposed to the Internet for a short period of time, due to an error made by a member of its security team. The company says the number of impacted customers is only around 280,000, representing users who placed orders between March 1 and March 15. The company claims it has taken steps to secure the data and the accounts of affected users.

“Companies like Gearbest cannot afford to ignore vulnerability reports from external security researchers. […] In Gearbest’s case, a database containing huge swaths of sensitive customer information is critical to the business, and addressing any vulnerabilities in its security should have been highly prioritized. Organizations must adopt advanced security platforms to proactively manage risk and avoid breaches instead of reacting to a security incident after it occurs,” Jonathan Bensen, CISO and senior director of product management at Balbix, told SecurityWeek in an emailed comment.

“Gearbest’s incident stands out since passport numbers, national ID numbers and full sets of unencrypted data, including email addresses and passwords were among the exposed information. This data could allow hackers to easily steal Gearbest’s customers’ identities by cross-referencing with other databases, and allow malicious actors access to online government portals, banking apps, health insurance records, and more,” Brian Johnson, CEO and co-founder of DivvyCloud, said.

“What we’ve seen — and continue to see — is companies are accelerating their use of technologies more than they’re enabling their teams or hiring effective people, and that will be the downfall of utilizing servers like Elasticsearch. The data exposure highlights how modern data repositories have created a fundamental conflict in businesses,” Terry Ray, SVP and Imperva Fellow, commented.

Gearbest statement on data leak

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.