Gearbest security flaw leaks millions of order and user details

A badly configured server at Gearbest, the Chinese purveyor of technology and other stuff online, has leaked millions of user profiles and order details.

White hat hacker Noam Rotem discovered an Elasticsearch server that was -- indeed still is at the time of writing -- leaking millions of records each week. These include customer data, orders, and payment records. The server wasn't protected with a password, potentially allowing anyone to search its data.

Rotem published details of the leak at VPNmentor. Data exposed includes details of products bought and shipping information, plus payment details, email addresses, and other customer data such as dates of birth and account passwords.

All of this information was stored unencrypted. Rotem notes in his report, "Gearbest's database isn't just unsecured. It's also providing potentially malicious agents with a constantly-updated supply of fresh data."

Gearbest has been contacted about the problem by Rotem and by TechCrunch  but has yet to take steps to secure the data or issue a comment on the leak.

Since Gearbest sells a number of 'adult' products, details of orders could be used to embarrass or blackmail customers.

Gearbest has been running for more than a decade and is one of the top Chinese shopping sites, and in the top 250 worldwide. It also operates warehouses in Europe where GDPR rules apply, so this leak could not only damage the company's reputation but lead to it incurring a large fine. Some of the company's accounts were also breached in 2017 following what was described as a credential stuffing attack.