Unsecured databases mean users’ information is easily accessible online
Gearbest customers are affected, as well as customers on sister shopping sites, including Zaful, Rosegal, and DressLily
Breach puts at least hundreds of thousands of users at risk of identity theft and financial loss
A recent ethical hack by well-known white-hat hacker Noam Rotem and the team at vpnMentor has exposed a serious security breach in Gearbest’s customer database.
What is Gearbest?
Gearbest is a hugely successful Chinese online shopping site. It’s best known for consumer electronics, appliances, and tech items, but it also sells clothing, homeware, and beauty products.
The site is a major player in global e-commerce. It ships to 250 countries worldwide and has subdomains in 18 languages. Gearbest is owned by Chinese conglomerate Globalegrow, which also operates shopping sites Zaful, Rosegal, and DressLily. In 2017 alone the company had a $1.48 billion turnover.
As such a successful e-commerce site, you would think that the company was serious about securing online customer privacy. Unfortunately, a vpnMentor investigation has revealed multiple unsecured databases used by the site to keep track of its members and orders. At the time of writing, the database is still unsecured despite being alerted to the problem by the investigation’s leaders.
Details of the breach: What is exposed?
The breach has exposed at least three databases containing more than 1.5 million records of customer identities, payment details, and shopping histories.
- Customer name
- Phone number
- Shipping address
- Products purchased
- Order number
- Payment type
- Email address
- IP address
- Date of birth
- Phone number
- Email address
- National ID and passport details
- Account passwords
Why does it matter?
The information about customers includes national ID and passport information, and contact and shipping details. It’s ripe for exploitation by hackers. Gearbest puts customers at serious risk of identity theft and hacking.
Using what they found in the databases, vpnMentor’s ethical hackers could navigate accounts as though they were the users themselves, and change details like names, passwords, and payment methods.
Information of this sort can be used to create so-called “local damage.” For example, anyone could quite easily change order details or use the saved payment details to pay for other items.
The investigation revealed that users in Brazil were particularly vulnerable to exploitation if they use the ‘Boleto Bancaro’ payment method. This method is like a voucher system. The openness of the database means that the vouchers could be easily manipulated and theoretically used to spend the users’ voucher money.
However, the details available in all three databases could also be easily used to steal a users’ identity. Particularly concerning is the national ID and passport information. Depending on the country, such information can be used to get access to electoral rolls, health records, and government service portals.
This raises serious privacy issues at a time when people are concerned about how much personal data is available online, and how it is used. We all have a right to question why companies need so much information about us – even if we agree to provide that information in user permissions. Breaches like this expand the conversation by underlining how easy it is for anyone to get access to that data.
The identifying details next to order histories are also concerning. While some items might not raise the alarm beyond privacy concerns, other orders might threaten user security in countries with strict societies and morality laws. The vpnMentor investigation gave an eye-opening example of the possible repercussions of a sex toy purchase in some parts of the world.
What is ethical hacking?
Ethical hacking refers to a process where tech and security experts penetrate systems, databases, and networks to test for vulnerabilities and holes. The idea is to expose flaws that a malicious hacker may be able to exploit.
The responsibility for these kinds of practices is to the general public. However, vpnMentor contacted Gearbest to tell them about the flaw as well as reporting the incident. At the time of writing, Gearbest has not responded and continues to use unsecured databases, leaving its customers’ data available and easily accessible online.
Lauren Smith, Privacy researcher, vpnMentor
Lauren is an experienced security researcher (7 years) with a demonstrated history of working in the computer and network security industry. Her day job is working for a human rights organization and she writes for vpnMentor since 2018 at nights and weekends on her spare time.