VPNMentor Researchers said they managed to invade different parts of the database of the Chinese web store Gearbest and found information about orders, payments and customers there.

The VPNMentor team , led by Israeli security researcher Noam Rotem, was able to access personal data from orders, payments and customer data including passport information and account passwords after the intrusion. In total it involved more than 1.5 million database entries
the team discovered this month. According to the researchers, the Elasticsearch database was not protected and many data such as passwords were not encrypted.

As an example of how bad it is to expose a database as an online store, VPNMentor reports that it could see the personal data of buyers of sex toys, which in some countries can get into serious trouble if it becomes known to authorities.

The researchers also received url access to the Kafke data management system from Gearbest and parent company Globalegrow. This would allow malicious parties to disable entire parts of servers. The researchers had given Gearbest the opportunity to respond for a few days, but had not yet received a response.