Zeljka Zorz reports:
Chinese e-commerce giant Gearbest has exposed information and orders of millions of its customers through an unsecured Elasticsearch server, security researcher Noam Rotem and his team have found.
According to Rotem, the server was not protected with a password and anyone could access it and search the data.
Also, despite assurances from the company that sensitive data is encrypted, most of the contents of the database were decidedly not.
Read more on HelpNetSecurity. This seems to be a more concerning what-could-happen leak than a lot of other leaks that researchers find online — in part, because passport numbers are involved, but in part because the content of some people’s orders is exposed:
“Hidden in the ‘Sales’ section of Gearbest’s ‘Apparel’ category, users can find a vast array of sex toys. The nature of the store’s open database means the details of your private purchases could quickly become public knowledge.”
For many people across the world, purchasing sex toys is not problematic, but for some, who live in countries with prohibitive laws regarding sexuality and homosexuality, this information could lead to a death sentence for users.
Once again, what might seem like just another human error incident could have life-threatening consequences.