Gearbest's Unprotected Databases Leave Millions Of Users At Risk
Amazon may be the international code word for e-commerce but there are other players, too, especially in other regions and smaller markets. China has the likes of Alibaba and Gearbest shipping products, many of them electronic devices, all over the world. Gearbest, alone, caters to 250 countries and its customers may number millions. And all of those have their personal, private, and sometimes incriminating data easily exposed thanks to some of the worst security practices we've heard of.
When your business involves online shopping, you will naturally be in possession of several important pieces of information. You'll have, among other things, a shopper's name, physical address, e-mail, phone number, and payment information. It's in your best interest to safeguard that data, not just because it's good for inspiring trust in your business but also because some jurisdictions legally require it.
Chinese e-commerce site Gearbest has a privacy policy that explicitly assures its customers of that. In addition to stating what data it collects, it also tells users that those details are thoroughly protected through encryption. A new security report claims otherwise and reveals how Gearbest's actions were completely opposite of what it says it does.
Gearbest's databases of orders, payments, and users were discovered to be unsecured. It didn't take long for a seasoned white hat hacker to break into the site's system and extract data. What makes it worse is that few of those pieces of data were actually encrypted, making it too easy for anyone with the database to take what they need.
More than just the threat of identity theft, Gearbest's lack of industry-standard security practices pose potential emotional and even physical threat to users. Databases could be cross-referenced to find incriminating information about users that could, later on, be used to blackmail them or, worse, hand them over to oppressive governments. vpnMentor, who discovered and tested the data breach, informed Gearbest of the issue. Unfortunately, the company has not taken action or even responded to the report.