The well-known Gearbest, a major Chinese online shopping company, revealed millions of user profiles and purchase orders, according to security researchers.
Investigator Noam Rotem has discovered that an Elasticsearch server runs millions of files each week. This includes customer data, orders, and payment records. The server is not even protected by a password, allowing anyone to access the data.
Gearbest is ranked among one of the world's leading 250 websites and is partnering with leading companies such as Asus, Huawei, Intel and Lenovo.
The TechCrunch website contacted Gearbest via a dedicated security page, and made sure to inform them of the vulnerable server. Despite the report, however, the company did not lock the data or respond to the request.
Rotem, who shared them his findings with TechCrunch, said that there are names, addresses, phone numbers, e-mail addresses and customer orders from purchased products among the data being released. The database also had information on payments and invoices.
"The content of some people's orders has been very revealing," says Rotem.
Exposed orders not only violate customers' privacy but may compromise customers in many parts of the world where freedom of speech and expression is limited. Some of the listings include sex games and other markets that could for example lead to legal interference where LGBTQ relationships are forbidden by law.
Countries such as the United Arab Emirates and Pakistan have strict laws that can result in death sentences.
Shenzhen-based Gearbest has a large presence in Europe with warehouses in Spain, Poland, the Czech Republic and the UK, where EU data protection and privacy laws are in force. Thus, any company that violates the General Protection Regulation Data (GDPR) may be fined up to 4% of its total revenue.
If you have an account on the site, it makes no sense to change your password, as the server is still a wild vine. But what you can do is change the password where you use the same.