Governance & Risk Management , Incident & Breach Response , IT Risk Management

Gearbest Database Leaks 1.5 Million Customer Records

White Hat Hackers Expose Lax Security Practices at Chinese Online Retailer
Gearbest Database Leaks 1.5 Million Customer Records
Researchers found Chinese e-commerce giant Gearbest exposing customer data as well as its own Apache Kafka server management software, pictured. (Image: VPNMentor)

An unprotected database belonging to Chinese e-commerce site Gearbest exposed 1.5 million customer records, including payment information, email addresses and other personal data for customers worldwide, white hat hackers discovered.

See Also: The Complexities of Vulnerability & Patch Management

Noam Rotem, a hacker and activist, found the internet-exposed Elasticsearch database, which does not appear to have been password protected, earlier this month as part of what he calls an ethical hacking project, according to a March 15 blog post on VPNMentor. Once inside the database, Rotem found a treasure trove of personal data from multiple countries that was not encrypted.

It's not clear when the data was first exposed - Rotem found it on about March 1, according to the blog - or if anyone has taken advantage of it. Gearbest acknowledged in a statement that a member of the security team turned off a firewall for a short time.

Gearbest is a large e-commerce and retail site based in China that mainly sells electronics and appliances, but also deals in clothing and other goods. The company ships to over 250 countries and has subdomains in about 18 languages, including English.

Customer Data Exposed

Inside the main Elasticsearch database, Rotem says, he found three distinct databases - for orders, payments/invoices and members - that included a wealth of customer data, including: customer names, products purchased, shipping addresses, email addresses, phone numbers, order numbers, payment types, payment information, dates of birth, IP address, and national ID and passport information.

"An open database filled with personal information can compromise users' safety online. The records we saw show full sets of unencrypted data, including email addresses and passwords," according to the VPNMentor blog post.

Only a small portion of the exposed personal data is needed to complete an order or buy a product from the site, the researchers note. They also say there's no reason for the company retain data such as the IP address of a customer.

Gearbest Response

When Rotem and VPNMentor first published their findings, Gearbest and its parent company, Globalegrow, did not respond. Later, however, Rotem posted a response on Twitter. In its statement, Gearbest disputed some of the claims the security researchers made, including the number of customer records exposed, which the company calculated closer to 280,000.

Additionally, the company said it uses encryption to protect data.

As to how the database became exposed on the internet, the Gearbest statement suggested that a member of the company's security team took down a firewall around March 1. Why that happened is still under investigation by the company, according to the statement.

The amount of personal and customer data exposed could lead to a host of security problems for Gearbest's users, according to Avast, a Czech security vendor, which published a commentary about the incident.

"The amount of different personal information exposed is really worrisome," wrote Luis Corrons, a security expert with Avast wrote. "Apart from identity theft, it could be used to launch targeted attacks against potential victims, from sextortion to spear phishing."

Beyond ID Theft

The exposed database also may put Gearbest's corporate data at risk.

Rotem noted that researchers also found URLs in the exposed database that led to the Apache Kafka software that Gearbest, as well as Globalegrow, use as part of their platforms. This open source software is used by enterprises to prevent server overload and maintain efficiency, while allowing the businesses to collect big data analytics.

"This kind of access allows malicious hackers to manipulate information, reassign database properties and even disable entire sections of the company's server. Depending on the function of each server, this could disrupt data collection, order placement, and stock and warehouse management," the VPN Mentor blog noted.

About the Author

Scott Ferguson

Scott Ferguson

Former Managing Editor, GovInfoSecurity, ISMG

Ferguson was the managing editor for the media website at Information Security Media Group. Before joining ISMG, he was editor-in-chief at eWEEK and director of audience development for InformationWeek. He's also written and edited for Light Reading, Security Now, Enterprise Cloud News, TU-Automotive, Dice Insights and

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.