A team of security researchers has discovered a vulnerable Elasticsearch database that contained over 1.5 million customer records.
The team from the site vpnMentor, was led by cybersecurity expert Noam Rotem. They discovered that the database primarily contained customer records from Gearbest, a Chinese e-commerce company owned by Globalegrow. Other sites owned by this parent company such as Zaful, Rosegal, and DressLily, were also affected.
The big picture
Why it matters - While Gearbest’s user privacy statement boasts of various security measures being implemented to protect customer information, it was not evident in this case. In addition to the unprotected database, customer data was also found to be stored without encryption.
What actions were taken - When vpnMentor contacted Gearbest and Globalegrow regarding the issue, they acknowledged it, but are yet to respond with a security fix.
Meanwhile, Gearbest said in a statement that, “On March 1st, 2019... firewalls were mistakenly taken down by one of our security team members for reasons still being under investigation. Such unprotected status has directly exposed those tools for scanning and accessing without further authentication. Currently, we believe this may have affected our newly registered customers as well as our old customers who placed orders with Gearbest during the time from March 1st, 2019 to March 15th, 2019, in a total number of about 280,000.”