Gearbest, a Chinese online shopping giant, has revealed millions of user profiles and purchase orders, have discovered security researchers.
Noam Rotem, a security researcher, discovered an Elasticsearch server that contained millions of records every week, including customer data, orders, and payment records. The server was not protected by a password, allowing anyone to search the data.
Gearbest is among the world's top 250 websites and serves leading brands such as Asus, Huawei, Intel and Lenovo.
TechCrunch contacted Gearbest – via its dedicated security page – to secure the database. The company has not secured the data nor responded to our request for comment.
Rotem, which shared its findings with TechCrunch and released its report on VPNMentor, said names, addresses, phone numbers, e-mail addresses, sales orders, and purchased products were among the data exposed. The database also contained payment and invoice information, with the amount spent and semi-masked names and email addresses.
After reviewing some of the data, TechCrunch found that the database revealed exactly what customers had purchased, when, and where the items had been sent.
Some of the member-specific files also included passport numbers and other national identification data. Rotem said that there was little evidence of encryption and in some cases none.
"The content of some people's orders has been revealing," said Rotem. Not only are the orders exposed a violation of the privacy of customers, but the data exposed could also endanger customers in areas of the world where freedom of speech and expression is limited. Some of the listings for sex toys and other intimate purchases, for example, could have legal consequences when LGBTQ + or pre-marital sex relationships are prohibited.
Countries like the United Arab Emirates and Pakistan have some of the toughest laws that can result in a death sentence.
Rotem has also found a separate Web-based database management system on the same IP address, allowing anyone to manipulate or disrupt databases managed by Gearbest's parent company, Globalegrow.
It is not clear exactly how long the server has been exposed. Data from the Binary Edge Internet analytics site showed that the database was first detected on March 7th.
Headquartered in Shenzhen, Gearbest has a strong presence in Europe, with warehouses in Spain, Poland, the Czech Republic and the United Kingdom, where EU data protection and data protection laws are in place. Privacy apply. Any company that violates the General Data Protection Regulation (GDPR) may be fined up to 4% of its overall business turnover.
This is the second safety issue at Gearbest in as many years. In December 2017, the company confirmed that the accounts had been breached as a result of a qualified attack attack.