Gearbest security lapse exposed millions of shopping orders

Gearbest, a Chinese online shopping giant, has exposed millions of user profiles and shopping orders, security researchers have found.

Security researcher Noam Rotem found an Elasticsearch server leaking millions of records each week, including customer data, orders and payment records. The server wasn’t protected with a password, allowing anyone to search the data.

Gearbest ranks as one of the top 250 global websites, and serves top brands, including Asus, Huawei, Intel and Lenovo.

TechCrunch contacted Gearbest — through its dedicated security page — to secure the database. The company neither secured the data nor responded to our request for comment.

Rotem, who shared his findings with TechCrunch and published his report at VPNMentor, said names, addresses, phone numbers, email addresses and customer orders and products purchased were among the data exposed. The database also had payment and invoice information, with amount spent and semi-masked names and email addresses.

After reviewing a portion of the data, TechCrunch found the database revealed exactly what customers bought, when and where the items were sent.

Some of the member-specific records also included passport numbers and other national ID data. Rotem said there was little evidence of encryption, and in some cases none at all.

“The content of some people’s orders has proven very revealing,” Rotem said. Not only are the exposed orders a breach of customer privacy, the exposed data could endanger customers in parts of the world where freedom of speech and expression is limited. Some of the listings for sex toys and other intimate purchases, for example, could lead to legal repercussions where LGBTQ+ relationships or pre-marital sex are banned.

Countries like the United Arab Emirates and Pakistan have some of the strictest laws, which can lead to punishment by death.

Rotem also found a separate exposed web-based database management system on the same IP address, allowing anyone to manipulate or disrupt the databases run by Gearbest’s parent company, Globalegrow,

It’s not known exactly how long the server was exposed. Data from internet scanning site Binary Edge showed the database was first detected on March 7.

Shenzhen-based Gearbest has a large presence in Europe, with warehouses in Spain, Poland, Czech Republic and the U.K., where EU data protection and privacy laws apply. Any company violating the General Data Protection Regulation (GDPR) can be fined up to four percent of its global revenue.

This is the second security issue at Gearbest in as many years. In December 2017, the company confirmed accounts had been breached after what was described as a credential stuffing attack.