Researchers working for VPNMentor have accused Chinese e-commerce site Gearbest of storing user information in "completely unsecured" Elasticsearch databases after discovering "1.5 million records" which they were able to access through a browser.
The wholesaler – which mostly shifts electronics and whose parent firm is Shenzhen e-commerce giant Global Top* – disputed this, claiming that 280,000 customers' data had been exposed. Whatever the true figure, this is an embarrassing cockup that will do nothing to enhance consumer confidence in the e-shop.
VPNMentor's white hats said they had found a treasure trove of personal data spread across three internal databases, including:
- Products purchased
- Shipping address and postcode
- Customer name
- Email address
- Phone number
- Order number
- Payment type
- Payment information
- IP address
- Date of birth
- National ID and passport information
- Account passwords
"Gearbest's database isn't just unsecured. It's also providing potentially malicious agents with a constantly updated supply of fresh data," VPNMentor commented, highlighting the obvious potential for identity theft and placing fraudulent orders with saved payment data.
In a response shared on Twitter by lead researcher Noam Rotem, Gearbest insisted the vuln affected an "external tool" rather than its core databases, claiming that customer data was "protected with all necessary encryption measures and are absolutely safe", something that does not appear to have been true when Rotem's team found the breach.
In an attempt to explain the breach, Gearbest admitted that on 1 March firewalls protecting its databases from public access "were mistakenly taken down by one of our security team members for reasons still being under investigation" [sic].
VPNMentor also went into a little detail about those who had bought sex toys from the site, including a Pakistani man who'd treated himself to three dildos. Highlighting Pakistan's backwards attitude to LGBT rights, VPNMentor said "this information could mean a literal death sentence for this user". ®
* Formerly Global Egrow , a $1bn-plus revenue firm.