An attack considered ‘ethical’ when it is carried out by tech experts in order to expose flaws in networks, systems and databases that malicious parties could exploit, if those flaws are not addressed.
Customers of Chinese online shopping site, Gearbest were the target of the attack, but users of associated shopping sites, including Zaful, Rosegal and DressLily also had their details put at risk.
‘White-hat’ hacker, Noam Rotem and fellow technicians at vpnMentor are believed to be behind the breach.
As a global online hub for consumer electronics, appliances, tech items and more, Chinese-owned Gearbest ships to 250 countries and had an annual turnover of $1.48 billion in 2017.
Vulnerabilities in the system of such a powerful ecommerce site sends a clear message to businesses of all sizes around the world, telling them to always be on the look-out for ways to improve cyber-security and optimise protection of consumer data.
A vpnMentor investigation uncovered numerous unsecured databases that the site uses to monitor members and orders.
The breach uncovered at least three databases, containing a total of over 1.5 million pieces of information relating to consumer identities, payment card details and purchase histories.
Other details compromised include: phone numbers, shipping addresses, email addresses, IP numbers, dates of birth, phone numbers, national ID card numbers and account passwords – in short, a data goldmine for would-be hackers, who could easily use the information for identity theft.
When inside the databases, vpnMentor’s activists could assume any of the victims’ identities, able to use the stolen knowledge to change critical details such as passwords, payment info and shipping addresses.
“Gearbest’s database isn’t just unsecured. It’s also providing potentially malicious agents with a constantly updated supply of fresh data.”
In a Twitter post, Noam Rotem said that the weakness was in an “external tool”, not the firm’s core databases, before claiming that customer information was “protected with all the necessary encryption measures and are absolutely safe.”
By way of explanation, Gearbest said that its firewalls were taken down by mistake at the start of March, although reasons for this measure are still being investigated.
The company’s last data breach came in December 2017, when Gearbest disclosed details of a credential stuffing attack that compromised multiple accounts.