Chinese e-commerce company Gearbest has failed to properly secure some of its databases, thus leaking users’ personally identifiable information (PII), VPNMentor’s researchers have discovered. Gearbest has downplayed the impact of the incident, which it has blamed on an error made by a member of its security team.
Highly successful, Gearbest sells electronics and appliances, clothing, accessories, and homeware. Owned by Chinese conglomerate Globalegrow, the company ships to most countries around the world and operates several internationally successful sites.
However, one of the company’s databases, an Elasticsearch cluster, and those belonging to its sister companies were found to be completely unsecured, thus allowing potential hackers to access a broad range of data, including orders, payments and invoices, and information on its customers.
These databases leaked information such as products purchased, shipping address and postcode, and customer name, email address, phone number, order numbers, payment information, IP address, username, address, date of birth, national ID and passport details, and account passwords.
The security researchers say they were able to access a database containing over 1.5 million records, and that sensitive information such as email addresses and passwords was being stored unencrypted, although the company claims to be properly protecting user data.
On top of that, a lot of the information included in the database (such as the IP address) isn’t required when completing the duties of an e-commerce store.
“This is particularly worrying given the current trend towards a more open and honest internet. Services providers across multiple industries, strive to increase transparency for their customers. Gearbest’s shady practices do the opposite,” VPNMentor notes.
The researchers claim that the leaked information allowed them to access Gearbest accounts and make changes to the login information and other data associated with them. Malicious hackers could have abused the data to steal customer identities or perform other operations.
With customers from all over the world, some of the leaked data, such as the full content of orders, could prove damaging to users in countries with strict laws.
On top of that, some of the leaked information included URL access to Gearbest’s – and Globalegrow’s – Kafka system, a data management program that allows companies to manage the amount of site data sent through their servers to maintain efficiency and collect big data.
“This kind of access allows malicious hackers to manipulate information, reassign database properties, and even disable entire sections of the company’s server. Depending on the function of each server, this could disrupt data collection, order placement, and stock and warehouse management,” the researchers say.
The researchers claim they have repeatedly attempted to contact both Gearbest and Globalegrow to inform them of the unprotected database, but that they received no response by the time they published their research.
In a statement published after VPNMentor disclosed its findings (complete statement is at the end of the article), Gearbest claimed that only a database associated with external tools used to improve efficiency and prevent data overload was exposed to the Internet for a short period of time, due to an error made by a member of its security team. The company says the number of impacted customers is only around 280,000, representing users who placed orders between March 1 and March 15. The company claims it has taken steps to secure the data and the accounts of affected users.
“Companies like Gearbest cannot afford to ignore vulnerability reports from external security researchers. […] In Gearbest’s case, a database containing huge swaths of sensitive customer information is critical to the business, and addressing any vulnerabilities in its security should have been highly prioritized. Organizations must adopt advanced security platforms to proactively manage risk and avoid breaches instead of reacting to a security incident after it occurs,” Jonathan Bensen, CISO and senior director of product management at Balbix, told SecurityWeek in an emailed comment.
“Gearbest’s incident stands out since passport numbers, national ID numbers and full sets of unencrypted data, including email addresses and passwords were among the exposed information. This data could allow hackers to easily steal Gearbest’s customers’ identities by cross-referencing with other databases, and allow malicious actors access to online government portals, banking apps, health insurance records, and more,” Brian Johnson, CEO and co-founder of DivvyCloud, said.
“What we’ve seen — and continue to see — is companies are accelerating their use of technologies more than they’re enabling their teams or hiring effective people, and that will be the downfall of utilizing servers like Elasticsearch. The data exposure highlights how modern data repositories have created a fundamental conflict in businesses,” Terry Ray, SVP and Imperva Fellow, commented.