Gearbest is a massive online store, primarily specializing in Chinese products. In the Android community, Gearbest is known as one of the easiest ways to purchase devices from Xiaomi and other Chinese brands in the United States. If you've purchased something from Gearbest in the past, you might want to start changing your credit cards — the company's main database was found to be completely unsecured.
VPNMentor's white hat security team, led by Noam Rotem, published a report about Gearbest's security. The group found that the site's main database, as well as the databases of its sister sites (including Zaful, Rosegal, and DressLily), are easily accessible and contain more than 1.5 million records.
Some of the accessible information includes emails, account passwords, IP addresses, birthdays, street addresses, payment information, and full names. The team was able to log into two accounts without effort. The exact content of each customer's orders are also visible. Gearbest's data management console was also accessible, meaning hackers could easily manipulate information on the site, disable sections of the company's servers, and even disrupt operations at Gearbest's warehouses.
It's safe to say that data breaches don't get much worse than this — it might be a good idea to stay away from Gearbest.
Gearbest has provided us with the following statement:
Immediately upon being aware of this incident, our security experts have initiated an investigation to verify the allegations made by Mr. Noam Rotem. While we found that all our own established databases or servers used for storing or processing Data are protected with all necessary encryption measures and are absolutely safe, some of the external tools we use to temporarily store Data may have been accessed by others and therefore Data security may have been compromised.
The external tools we use are intended to improve efficiency and prevent data overload and the Data will only be stored in such tools for less than 3 calendar days before it is automatically destroyed. Considering possible data security breaches, we protected those tools with powerful firewalls to avoid any such data being compromised by malicious scanning from others. However, our investigation reveals that on March 1st, 2019, such firewalls were mistakenly taken down by one of our security team members for reasons still being under investigation. Such unprotected status has directly exposed those tools for scanning and accessing without further authentication.
Currently, we believe this may have affected our newly registered customers as well as our old customers who placed orders with Gearbest during the time from March 1st 2019 to March 15th, 2019, in a total number of about 280,000. Fortunately, the irregularity has been fixed by us within two hours immediately after detecting it and we will further strengthen our internal security management to avoid such incident from happening again.
We truthfully apologize for what happened. In addition to what we have done mentioned above, we will be urgently carrying out measures to inactivate the passwords of those newly registered customers for avoidance any illegal login to their accounts and will also send email to all affected customers for updating the situation.