Vaping News

Gearbest: Not the Best

A rebranded Gearbest has run into problems as millions of customers have had their unencrypted personal data stolen.

Share on:
Gearbest has been running for five years, selling a wide range of vaping equipment to millions of customers. To mark the sixth year of trading, the company recently rebranded to reflect its values and vision. Unfortunately, this didn’t include protecting personal identification information – including banking data.

Gearbest’s design team met last year to create an “energetic brand message”. The project remit was to create a simpler logo and slogan in order to convey “a modern vision” of the company, all based around the letter “G” to resemble a “classic smile”.

"We spent 4 months working on this grand upgrade from sending questionnaires to consumers to comparing hundreds of logos and proposals. This is really big for us, and for Gearbest," Director of UED centre Thor Zhao said.

Branding director Lilac Luo added: “It is the perfect breakthrough point to transform the image, strategies and brand philosophy. We completed our closed-loop supply chain by building up a management and control system on purchase, storage, sale, and delivery, which will be crucial and a strong support for branding in the future.”

They chose to keep the old black and white and include yellow; a colour traditionally associated with luck, power, royalty and prosperity in China. Unfortunately, yellow also has a strong association with pornographic publications, so its use comes with a caution when incorporated into brand designs.

The link to pornography is quite appropriate in this context as it gives rise to an unprintable word that would encapsulate how millions of Gearbest customers must be feeling this week.

All the meetings about font type and colour counts for nothing when the most of the private customer information was stored in unencrypted files on an Elasticsearch database.

Information included:

  • Full names
  • Addresses
  • Phone number
  • Email addresses
  • Products purchased
  • Payment methods
  • Invoice information
  • Active bank payment vouchers with the unique barcodes – meaning the information could be used to pretend to be the holder of the relevant bank account

The information containing personal identifiers and private banking data as a Kafka misconfiguration allowed anyone to take or change anything. Noam Rotem, a cyber-security specialist and white hat hacker identified the flaws at the beginning of March.

It is reported that Gearbest failed to respond to or act upon this information. Data has not be secured as of the end of last week, according to Rotem.

Brian Johnson, CEO of DivvyCloud said: “Gearbest’s incident stands out since passport numbers, national ID numbers and full sets of unencrypted data, including email addresses and passwords were among the exposed information.”

“This data could allow hackers to easily steal Gearbest’s customers’ identities by cross-referencing with other databases, and allow malicious actors access to online government portals, banking apps, health insurance records, and more.”

“Organisations like Gearbest must learn to be diligent in ensuring data is protected with proper security controls.”

Security company Avast states: “All customers of Gearbest are advised to monitor all credit card and bank accounts. The personal information leaked online provides everything a bad actor would need to access a customer’s money and then some.”

“All potential victims should change their passwords immediately. Regularly changing and storing complex passwords is easy with a password manager.”

As Gearbest has warehouses in Spain, Poland, Czech Republic and the U.K., EU data protection and privacy laws apply: if it is found guilty of violating the General Data Protection Regulation it can be fined up to 4% of its global revenue.

Dave Cross avatar

Dave Cross

Journalist at POTV
View Articles

Dave is a freelance writer; with articles on music, motorbikes, football, pop-science, vaping and tobacco harm reduction in Sounds, Melody Maker, UBG, AWoL, Bike, When Saturday Comes, Vape News Magazine, and syndicated across the Johnston Press group. He was published in an anthology of “Greatest Football Writing”, but still believes this was a mistake. Dave contributes sketches to comedy shows and used to co-host a radio sketch show. He’s worked with numerous start-ups to develop content for their websites.

Join the discussion

Product

Parliament Fears Two

The Department for Environment, Food and Rural Affairs faced questions from a Conservative MP and, oddly, a member of the Department for Environment, Food and Rural Affairs

Vaping News

Harm Reduction For The Rich

The United Kingdom risks becoming a harm reduction country only for the wealthy, according to Michael Landl of the World Vapers’ Alliance

Vaping News

Sacrificing Health For 2p Cut

Tory Government alienates vaping voters with its mission to cut tax by an unaffordable 2p to attract voters by placing a tax on vape products in the forthcoming budget

Vaping News

Scotland Announces Single-Use Vape Action

A ban on the sale and supply of single-use vapes in Scotland is due to come into effect on 1 April 2025, under proposed legislation published today