Gearbest recently undertook a rebranding
GREY MARKET Chinese e-tailer Gearbest has suffered a giant security lapse which has exposed thousands of order details and personal information.
The company used by many Shenzhen electronics firms to market their products to the West, has been accused of leaving its databases unprotected, thus making them open season for anyone who knows what they’re looking for,
Security researcher Noam Totem found the Elasticsearch server used by Gearbest, who at time of writing had failed to respond on the matter.
According to Totem’s report on VPNMentor, the details leaked included names, addresses, telephone numbers, email addresses, customer order details including product lines, amounts, and hashed out card details – all held with minimal or no encryption.
Some records also included passport/ID numbers and the content of what they are ordering could prove incriminating – Gearbest is not above selling a dildo or two and Gearbest serves a number of countries where such behaviour is frowned upon, in a “we’ll kill you for it” kind of way.
Gearbest, which previously suffered a data breach in 2017, has expanded aggressively in recent years, opening warehouses inside the EU, in an attempt to get around import taxes which are charged on items from the main warehouse.
This may be Gearbest’s undoing as, by having premises inside the EU, the company is at least partly covered by GDPR laws, meaning they could be fined up to four per cent of its global turnover – and that figure covers the global takings too – not just orders originating in the EU.
Gearbest’s parent company Globalegrow has similar problems with its site that could allow an outsider to play silly wotsits with their databases too.
Gearbest recently turned five years old and celebrated with a rebranding that seems to coincide with the first time the server was detected – though that could be a coincidence.
Whilst Gearbest doesn’t seem to have given away any passwords, it is nevertheless highly recommended to change yours (if you are a customer) and any other accounts using the same password. μ
Source : Inquirer