GearBest Database Was Left Unsecured For 2 Weeks

Orange Pi Development Boards

GearBest is one of the most popular Chinese online stores, and we often feature products sold by the company on the website. However, VPNMentor research team headed by Noam Rotem, a  hat hacker and activist, discovered a serious security breach in Gearbest, where their database was completely unsecured for a period of time.

gearbest unsecured database

Specifically the research team was able to access the following databases in March 2019:

  • Orders database with products purchased, shipping address and postcode, customer name, email address, phone number
  • Payments and invoices database with order number, payment type, payment information, email address, name, IP address
  • Members database with name, address, date of birth, phone number, (unencrypted) email address, IP address, national ID and passport information, (unencrypted) account password

They discovered 1.5+ million records in total. They managed to login successfully to two accounts from the database breach for testing. Payment information included data related Boleta (used in Brazil) and Oxxo (used in Mexico) which would allow potential hackers to access customer’s receipts and their banking information. The company also noticed that GearBest sells some adult toys, and if you wanted to purchase those discreetly your list of purchases was just open for anybody (with the right skills) to see.

GearBest saw the report published on March 15, and corrected & explained the issue in a post in Facebook reproduced below.

GearBest Data BreachSo provided GearBest statement is accurate, it’s bad, but not as catastrophic as it first appeared, at least if you did not order anything from the company, or did not first registered with the company, on March 1-15. Basically, a firewall was taken down for two weeks, and 280,000 users (or is that orders?) were affected during that time. The company has now restored the firewall, and should have already reset password of affected users.

The statement did not mention anything about encrypting data in those databases however, but hopefully they’ll do something about it. If they don’t, and if for whatever reason the firewall is taken down again or breached, the data will be available publicly again.

Via SecurityWeek

5
Leave a Reply

avatar
3 Comment threads
2 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
4 Comment authors
SingmanTerrytheguyukDiego Recent comment authors
  Subscribe  
newest oldest most voted
Notify of
Diego
Guest
Diego

I don’t get it was it all users or just some? But whatever happened storing all sorts of crap in plaintext only secured by a so called firewall. That means everyone within the organisation has access to the db in any case.

theguyuk
Guest
theguyuk

I thought white hat hackers warned the companies and gave some time to fix them problem before going public ?

Diego
Guest
Diego

I heard GB didn’t give a dime for 2 weeks..

Singman
Guest
Singman

Wrong, if you compare the timing, it look like VPNMentor published the security breach really fast. It got discovered on 1st March and corrected the 15th.

Terry
Guest
Terry

Wonderful, haven’t bought anything from Gearbest for over 2 years , last Thursday (14th) I made a purchase.