The well-known Gearbest, a major Chinese online shopping company, revealed millions of user profiles and purchase orders, according to security researchers.
Investigator Noam Rotem has discovered that an Elasticsearch server runs millions of files each week. This includes customer data, orders, and payment records. The server is not even protected by a password, allowing anyone to access the data.
Gearbest is ranked among one of the world's leading 250 websites and is partnering with leading companies such as Asus, Huawei, Intel and Lenovo.
Η by clicking here TechCrunch contacted Gearbest through a dedicated security page, and made sure to inform them about the vulnerable server. However, despite the report, the company did not lock the data or respond to the request.
Rotem, who shared them his findings with TechCrunch, said that there are names, addresses, phone numbers, e-mail addresses and customer orders from purchased products among the data being released. The database also had information on payments and invoices.
"The content of some people's orders has been very revealing," says Rotem.
The exposed orders not only violate customer privacy, but may endanger the company's customers in too many parts of the world where freedom of speech and expression is restricted. Some of the listings are about sex toys and others markets which could for example lead to legal interference where LGBTQ relationships are prohibited by law.
Countries such as the United Arab Emirates and Pakistan have strict laws that can result in death sentences.
Shenzhen-based Gearbest has a large presence in Europe, with warehouses in Spain, Poland, the Czech Republic and United Kingdom, where the laws on protectionof data and privacy of the EU. So any company that violates the General Data Protection Regulation (GDPR) can be fined up to 4% of its total revenue.
If you have an account on the site, it makes no sense to change your password, as the server is still a wild vine. But what you can do is change the password where you use the same.
How to Enable and Disable a User in Windows 10