Story image

Unencrypted Gearbest database leaves over 1.5mil shoppers’ records exposed

19 Mar 2019

Security researcher Noam Rotem has discovered a major security breach in the Shenzhen-based e-commerce site Gearbest.

The online shopping website ships goods to overs 250 countries and ranks in the top 100 websites in almost 30% of these regions, according to VPNMentor. 

Rotem and his team of ethical hackers at VPNMentor found that the company uses an Elasticsearch database, which is ordinarily not designed for URL use.

They also reported being able to access over 1.5million records in different areas of Gearbest’s unencrypted database, including:

  • Orders database, including purchased products, shipping address and postcode, customer names, email addresses, and phone numbers
  • Payments and invoices database including order number, payment type, payment information, email address, name, and IP address.
  • Members database including name, address, date of birth, phone number, email address, IP address, national ID and password information, account passwords.

Using the leaked information, Rotem's team found they were able to log into Gearbest accounts and operate them with full user privileges, viewing current and past orders, accumulating Gearbest points, and changing account passwords and details.

In a worst-case scenario, VPNMentor’s research found that by cross-referencing different databases, hackers can steal the identities of Gearbest customers.

Depending on the countries and information requirements, the data available can give hackers access to online government portals, banking apps, and health insurance records, to name a few.

After Rotem’s findings were published, Gearbest posted a statement on its Facebook page responding to VPNMentor.

“Some of the external tools we use to temporarily store data may have been accessed by others and therefore data security may have been compromised.”

“Our investigation reveals that on March 19, 2019, … firewalls were mistakenly taken down by one of our security team members for reasons still being [sic] under investigation. Such unprotected status has directly exposed those tools for scanning and accessing without further authentication.”

Gearbest said in the statement that the breach may affect 280,000 newly registered customers and customers who placed orders with Gearbest between March 1, 2019, and March 15, 2019.

It also says the data leak has been fixed two hours after detection.

“We will further strengthen our internal security management to avoid such incidents from happening again.”

Gearbest says it also taking measures to deactivate the passwords of the compromised to prevent credential abuse and will notify affected customers via email.

The full VPNMentor report is on its website. 

What cybersecurity experts have to say  

Digital Guardian cloud services security architect Naaman Hart

The most shocking thing about this is the complete mistruth that was told to customers of Gearbest. 

Data-at-rest encryption was the promise and it doesn’t appear to have been the case at all. 

While breaches can be seen as almost unavoidable these days, encryption of the data stolen should be a given, especially given the sensitivity of the data Gearbest stored. 

Worryingly it’s not just the usual names, addresses, passwords and emails; the data includes passport details and national IDs. 

Gearbest don’t appear to have shown any care in segregating information, that while it’s all personal, it’s not equal.

The data was linked so easily together that a complete profile of someone could be built that exposes the individual to identity fraud. 

There are many other risks that could now befall the individual customer and trying to fix this problem by invalidating their data by requesting new passports and national IDs is not only difficult, it’s sometimes impossible. 

Gearbest’s customers may have to accept that they've forever exposed to additional risk thanks to the mismanagement of their data.

It appears that Gearbest failed on two counts of poor configuration. 

First, they failed to protect a ‘big data’ Elasticsearch setup and secondly, they failed to encrypt any of that data. 

Both of these are configuration and best practice problems and frankly, there’s little excuse for not implementing them correctly.

Ultimately if you can’t trust a company to get the basics right, definitely don’t trust them to keep you and your data safe.

Bitglass CTO Anurag Kahol

It’s concerning when it takes an organisation months, or even years, to recognise that a misconfigured server has enabled a breach or a leak.

As a global e-commerce provider that ships to over 250 countries and territories, ranks in the top 100 websites in almost 30 percent of said regions, and has subdomains in 18 different languages, Gearbest must adopt a flexible security platform that proactively detects and responds to new threats as they arise.

Allowing a server to remain misconfigured for a prolonged period of time increases the odds that a malicious actor can find it and exploit the information therein for their own purposes.

Throughout 2018 and 2019, misconfigurations have grown in popularity as an attack vector across all industries.

This highlights the reality that organisations are struggling with limited IT resources and, consequently, are susceptible to careless and reckless mistakes like misconfigurations.

As such, companies must turn to flexible and cost-effective solutions that can help them to defend against data leakage.

For example, cloud access security brokers (CASBs) provide cloud security posture management (CSPM), data loss prevention (DLP), user and entity behaviour analytics (UEBA), and other capabilities that can give an organisation confidence that its data is truly safe.

Huawei FusionServer Pro built for 'intelligent transformation'
The next generation X86 servers draw on an intelligent acceleration engine, an intelligent management ending, and intelligent data center solutions for ‘diverse’ scenarios as transformation shifts from digital to intelligent.
HFW deploys digital edge strategy on Equinix
Equinix announced that global law firm HFW has collaborated with Equinix to build out its digital edge in key markets including Dubai, London, Hong Kong, Melbourne and Paris.
DE-CIX and Datacenter One sign service deal for Germany
Datacenter One’s LEV1 data centre in Leverkusen is the first to be connected to DE-CIX, with further DE-CIX sites to be created in the next few years as part of the agreement.
Teradata expands as-a-service offerings for Advantage platform
Data intelligence company Teradata has announced three new cloud and on-premise solutions that are now integrated into its Teradata Vantage platform.
DigiPlex opens up Nordic data centers to international customers
"The Nordics are Europe's premier market: a firm deploying 100 megawatts over 20 years could save approximately $2 billion by placing their data center in Sweden or Norway versus the U.K."
HPE & Nutanix join forces to deliver hybrid cloud as a service
The two tech giants have partnered to offer a fully integrated solution that capitalises on the hybrid IT market.
Opinion: The growing importance of sustainability in data centres
Aruba's Alessandro Bruschini discusses why to carry on growing, the data centre industry will have to turn to green methods of energy consumption and production.
Equinix releases Azure Stack-as-a-Service in APAC
The hybrid cloud solution offers pre-configured, Microsoft validated systems, pre-installed into Equinix IBX data centres.