Chinese online retailer Gearbest left open a database with millions of personal customer data

Published on March 16, 2019

Chinese online retailer Gearbest left open a database with millions of personal customer data

A VPNMentor hacker team discovered that the Chinese online trading giant Gearbest stores customer data in easily accessible databases.



The VPNMentor guys discovered several Elasticsearch insecure databases (Indices) with millions of records containing customer details, order information, and payment data.

All this stuff is supported and used by Gearbest, whose site is in the Top 250 largest websites of the entire Internet. Gerbest sells such major brands as Asus, Huawei, Intel and Lenovo, delivers to more than 250 countries and supports local versions of the store in 18 languages.

In total, three freely accessible databases were found, containing a total of more than 1.5 million records:

  1. Base orders - contains goods and their delivery addresses, customer email, their names, and IP addresses.
  2. Payment base - consists of order numbers, payment types, payment information, customer names and their IP addresses.
  3. Customer base - contains the names of customers, their dates of birth, addresses, phone numbers, emails, IP addresses, passports and even access passwords for orders.

Most importantly, this database is updated, i.e. new lines with the data of new orders are written into it.