Researchers at vpnMentor have discovered a security vulnerability in Gearbest, a Chinese e-commerce business that reportedly processes hundreds of thousands of sales a day.
According to a blog post from vpnMentor’s research team, hackers were able to access different parts of Gearbest’s database, during which time they discovered more than 1.5 million records, ranging from product purchases and shipping addresses to customer names, email addresses and phone numbers.
The team also accessed member and payments and invoice databases, finding sensitive data that included names, dates of birth, IP addresses and passport information. “Gearbest’s database isn’t just unsecured. It’s also providing potentially malicious agents with a constantly-updated supply of fresh data,” the team wrote.
Misconfigurations have been the cause of multiple security incidents, with reports earlier this year that misconfigurations in Elasticsearch resulted in millions of banking and financial records being left exposed without a password.
“Too often, private information is collected, yet the collecting organization doesn’t monitor who has access to the data, when the data is viewed, or whether the data has been stolen. The problem of misconfiguration is generally more common at large companies than smaller ones, where everyone can look at everything. The bigger the company, the harder it is to maintain process,” said Terry Ray, SVP and Imperva Fellow at Imperva.
"Like Rubrik, the State Bank of India and others, Gearbest made a similar error leaving an unprotected server housing user data exposed. What we've seen – and continue to see – is companies are accelerating their use of technologies more than they're enabling their teams or hiring effective people, and that will be the downfall of utilizing servers like Elasticsearch. The data exposure highlights how modern data repositories have created a fundamental conflict in businesses.”
The use of modern data repositories can often provide cost savings, business intelligence, information sharing and increased technology scale, yet they also introduce complexities and requirements. "They require advanced enablement of technical staff before their use. It is yet another area in which technology and business needs are outpacing the expertise of technical staff, and this discrepancy is leading to simple security mistakes that simply shouldn’t happen,” Ray said.