GearBest is one of the most popular Chinese online stores, and we often feature products sold by the company on the website. However, VPNMentor research team headed by Noam Rotem, a hat hacker and activist, discovered a serious security breach in Gearbest, where their database was completely unsecured for a period of time.
Specifically the research team was able to access the following databases in March 2019:
- Orders database with products purchased, shipping address and postcode, customer name, email address, phone number
- Payments and invoices database with order number, payment type, payment information, email address, name, IP address
- Members database with name, address, date of birth, phone number, (unencrypted) email address, IP address, national ID and passport information, (unencrypted) account password
They discovered 1.5+ million records in total. They managed to login successfully to two accounts from the database breach for testing. Payment information included data related Boleta (used in Brazil) and Oxxo (used in Mexico) which would allow potential hackers to access customer’s receipts and their banking information. The company also noticed that GearBest sells some adult toys, and if you wanted to purchase those discreetly your list of purchases was just open for anybody (with the right skills) to see.
GearBest saw the report published on March 15, and corrected & explained the issue in a post in Facebook reproduced below.
So provided GearBest statement is accurate, it’s bad, but not as catastrophic as it first appeared, at least if you did not order anything from the company, or did not first registered with the company, on March 1-15. Basically, a firewall was taken down for two weeks, and 280,000 users (or is that orders?) were affected during that time. The company has now restored the firewall, and should have already reset password of affected users.
The statement did not mention anything about encrypting data in those databases however, but hopefully they’ll do something about it. If they don’t, and if for whatever reason the firewall is taken down again or breached, the data will be available publicly again.