The well-known Gearbest, a major Chinese online shopping company, revealed millions of user profiles and purchase orders, according to security researchers.
Researcher Noam Rotem discovered that an Elasticsearch server is leaking millions of files every weekteam. Σε αυτά συμπεριλαμβάνονται δεδομένα πελατών, παραγγελιών και files from payments. The server is not even password protected, allowing anyone to access the data.
Gearbest ranks as one of the top 250 websites worldwide and cooperates with leading companies such as Asus, Huawei, Intel and Lenovo.
The TechCrunch website contacted Gearbest via a dedicated security page, and made sure to inform them of the vulnerable server. Despite the report, however, the company did not lock the data or respond to the request.
Rotem, who shared them his findings with TechCrunch, stated that among the data circulating there are names, addresses, phone numbers, email addresses and customer orders from products purchased. The database also had information on payments and invoices.
"The content of some people's orders has turned out to be very revealing," says Rotem.
Exposed orders not only violate customer privacy, but may endanger the company's customers in many parts of the world where the freedom of speech and expression is limited. Some of the listings are for sex toys and other purchases that could, for example, lead to legal interference where LGBTQ relationships are prohibited by law.
Countries such as the United Arab Emirates and Pakistan have strict laws that can result in death sentences.
Shenzhen-based Gearbest has a large presence in Europe, with warehouses in Spain, Poland, the Czech Republic and the UK, where data protection laws apply and privacyof the EU. Thus, any company that violates the General Data Protection Regulation (GDPR) can be fined up to 4% of its total revenue.
If you have an account on the site, it makes no sense to change your password, as the server is still a wild vine. But what you can do is change the password where you use the same.
How to Enable and Disable a User in Windows 10