Avast Blog_Security News: Gearbest might be the worst

[harlan4096]

Payment info and other personal data belonging to millions of e-commerce customers have been found unsecured on the web.

White hat hackers scanning the web for system holes and data leaks stumbled upon an unsecured ElasticSearch server containing millions of Gearbest customer records. Gearbest is an Amazon-style e-commerce site with a focus on tech and Chinese brands. It ships to over 250 countries and publishes 18 subdomains in different languages. Under parent company Globalegrow, Gearbest is a billion-dollar business, but while its privacy policy states that the company encrypts any and all customer info it retains, the unsecured server found online proves that this is not true. Hundreds of thousands of customers are putting themselves at risk daily, adding their info to the growing repository of customer data accumulating for anyone to access.

Furthering the mystery of how security could be so lax, the info found on the unsecured server goes beyond the “usual” info. Researchers were able to access three databases: an “orders” database containing all order info including customer address, phone number, and email; a “payments and invoices” database containing all payment info as well as the customer’s IP address; and a “members” database containing personal info like birthdates, national ID numbers, account passwords, passport info, and, again, IP addresses. Only a portion of all that info is needed for an e-commerce transaction. Researchers question the reasoning for storing unrelated personal info like IP addresses and national IDs.

All customers of Gearbest are advised to monitor all credit card and bank accounts. The personal information leaked online provides everything a bad actor would need to access a customer’s money and then some. With the national ID numbers and passport info, a bad actor could perpetrate identity theft. “The amount of different personal information exposed is really worrisome,” comments Avast Security Expert Luis Corrons. “Apart from identity theft, it could be used to launch targeted attacks against potential victims, from sextortion to spear phishing."

Continue Reading