E-Commerce Company Gearbest Leaked User Information

Chinese e-commerce company Gearbest has failed to properly secure some of its databases, thus leaking users’ personally identifiable information (PII), VPNMentor’s researchers have discovered. Gearbest has downplayed the impact of the incident, which it has blamed on an error made by a member of its security team.

Highly successful, Gearbest sells electronics and appliances, clothing, accessories, and homeware. Owned by Chinese conglomerate Globalegrow, the company ships to most countries around the world and operates several internationally successful sites.

However, one of the company’s databases, an Elasticsearch cluster, and those belonging to its sister companies were found to be completely unsecured, thus allowing potential hackers to access a broad range of data, including orders, payments and invoices, and information on its customers.

These databases leaked information such as products purchased, shipping address and postcode, and customer name, email address, phone number, order numbers, payment information, IP address, username, address, date of birth, national ID and passport details, and account passwords.

The security researchers say they were able to access a database containing over 1.5 million records, and that sensitive information such as email addresses and passwords was being stored unencrypted, although the company claims to be properly protecting user data.

On top of that, a lot of the information included in the database (such as the IP address) isn’t required when completing the duties of an e-commerce store.

“This is particularly worrying given the current trend towards a more open and honest internet. Services providers across multiple industries, strive to increase transparency for their customers. Gearbest’s shady practices do the opposite,” VPNMentor notes.

The researchers claim that the leaked information allowed them to access Gearbest accounts and make changes to the login information and other data associated with them. Malicious hackers could have abused the data to steal customer identities or perform other operations.

With customers from all over the world, some of the leaked data, such as the full content of orders, could prove damaging to users in countries with strict laws.