Unguarded Elasticsearch database found exposing over 1.5 million customer records

• The customer records belonged to customers from online retails sites such as GearBest, Zaful, Rosegal, and DressLily.
• Sensitive information such as passwords and payment information were found exposed along with personal information.

A team of security researchers has discovered a vulnerable Elasticsearch database that contained over 1.5 million customer records.

The team from the site vpnMentor, was led by cybersecurity expert Noam Rotem. They discovered that the database primarily contained customer records from Gearbest, a Chinese e-commerce company owned by Globalegrow. Other sites owned by this parent company such as Zaful, Rosegal, and DressLily, were also affected.

The big picture

• According to vpnMentor’s report, attackers could access various parts of Gearbest’s unprotected Elasticsearch database.
• The exposed data included customers' orders, payments methods, invoices, as well as members database.
• When it came to customers' personal information, the data included address, date of birth, phone number, email address, IP address, national ID, passport details and account passwords.
• In fact, the researchers accessed two Gearbest accounts which allowed them complete control as users.
• Subsequently, they also found that Globalegrow’s Kafka system was easily accessible. This could allow attackers to meddle with other databases compromising the company’s business information.

Why it matters - While Gearbest’s user privacy statement boasts of various security measures being implemented to protect customer information, it was not evident in this case. In addition to the unprotected database, customer data was also found to be stored without encryption.

What actions were taken - When vpnMentor contacted Gearbest and Globalegrow regarding the issue, they acknowledged it, but are yet to respond with a security fix.

Meanwhile, Gearbest said in a statement that, “On March 1st, 2019... firewalls were mistakenly taken down by one of our security team members for reasons still being under investigation. Such unprotected status has directly exposed those tools for scanning and accessing without further authentication. Currently, we believe this may have affected our newly registered customers as well as our old customers who placed orders with Gearbest during the time from March 1st, 2019 to March 15th, 2019, in a total number of about 280,000.”