GearBest is one of the most popular Chinese online stores, and we often feature products sold by the company on the website. However, VPNMentor research team headed by Noam Rotem, a hat hacker and activist, discovered a serious security breach in Gearbest, where their database was completely unsecured for a period of time.
Specifically the research team was able to access the following databases in March 2019:
- Orders database with products purchased, shipping address and postcode, customer name, email address, phone number
- Payments and invoices database with order number, payment type, payment information, email address, name, IP address
- Members database with name, address, date of birth, phone number, (unencrypted) email address, IP address, national ID and passport information, (unencrypted) account password
They discovered 1.5+ million records in total. They managed to login successfully to two accounts from the database breach for testing. Payment information included data related Boleta (used in Brazil) and Oxxo (used in Mexico) which would allow potential hackers to access customer’s receipts and their banking information. The company also noticed that GearBest sells some adult toys, and if you wanted to purchase those discreetly your list of purchases was just open for anybody (with the right skills) to see.
GearBest saw the report published on March 15, and corrected & explained the issue in a post in Facebook reproduced below.
So provided GearBest statement is accurate, it’s bad, but not as catastrophic as it first appeared, at least if you did not order anything from the company, or did not first registered with the company, on March 1-15. Basically, a firewall was taken down for two weeks, and 280,000 users (or is that orders?) were affected during that time. The company has now restored the firewall, and should have already reset password of affected users.
The statement did not mention anything about encrypting data in those databases however, but hopefully they’ll do something about it. If they don’t, and if for whatever reason the firewall is taken down again or breached, the data will be available publicly again.
Via SecurityWeek
Jean-Luc started CNX Software in 2010 as a part-time endeavor, before quitting his job as a software engineering manager, and starting to write daily news, and reviews full time later in 2011.
Support CNX Software! Donate via cryptocurrencies, become a Patron on Patreon, or purchase goods on Amazon or Aliexpress
I don’t get it was it all users or just some? But whatever happened storing all sorts of crap in plaintext only secured by a so called firewall. That means everyone within the organisation has access to the db in any case.
I thought white hat hackers warned the companies and gave some time to fix them problem before going public ?
I heard GB didn’t give a dime for 2 weeks..
Wrong, if you compare the timing, it look like VPNMentor published the security breach really fast. It got discovered on 1st March and corrected the 15th.
Wonderful, haven’t bought anything from Gearbest for over 2 years , last Thursday (14th) I made a purchase.