Chinese e-commerce giant Gearbest leaks millions of records, researcher finds

An unsecured database has exposed records about millions of customer transactions from the Chinese e-commerce giant Gearbest, security researcher Noam Rotem has announced.

Databases of orders, payments and invoices and customer information were exposed, compromising more than 1.5 million records, according to Rotem’s research published by VPN Mentor. It was not immediately clear how long the records have been exposed, though Rotem reported the databases were found unprotected this month. Payment information, products purchased, shipping addresses, and customer data including names, IP addresses and national identification and passport information was all among the data exposed.

“Gearbest’s database isn’t just unsecured,” VPN Mentor noted in a blog post. “It’s also providing potentially malicious agents with a constantly-updated supply of fresh data.”

Gearbest is owned by the Shenzen-based e-commerce giant Gobalegrow, a cross-border retailer specializing in the sale of electronics and computer accessories. On its website, Gearbest says it works with more than 5,000 Chinese companies including Xiaomi, Lenovo, Huawei, and done-marker DJI.

The company did not immediately respond to a request for comment from CyberScoop. The database still was unsecure, and available for anyone to search without a password, TechCrunch reported Thursday.

The publication of some information included in the database could result in legal repercussions for the customers involved, VPN Mentor noted, such as one man purchasing sex toys in Pakistan, where the law may prohibit activities that are more permitted in the West.

“A simple search gave us his full name, email address, street address and IP address,” the blog post stated. “A more detailed search would probably show us his date of birth and account password, letting us see his previous order information.”