Update (12/22): We reported yesterday on the news that GearBest may have been subject to a hack, and today, the company has responded with the following statement:
Our IT department have investigated this issue and we have identified a few hundred accounts that may have been exposed. Immediately after this knowledge came to our attention we have frozen these accounts and contacted the affected users.
Our investigation concludes that it is unlikely that our users information can be leaked from our system. What has likely happened is that ill-intentioned people bought and/or hacked user login information from other websites and were trying to see if those data could access GearBest. As far as we know, those hackers used some special software to facilitate uploading large volumes of leaked data from other sites to try to deceptively login with Gearbest from a group of high risk IPs.
Apart from the steps we have taken above to alert our customers to update their passwords, we are also urgently working on risky IP identification and a more complicated verification code to prevent systematic password testing.
We would like to take this opportunity to thank you for raising this issue. Please rest assured that Gearbest remains a safe website and will strive to keep protecting the interest of our users to the best of our abilities.
So, GearBest suggests that the information may not have leaked from its site, but rather, that the email address and passwords leaked from another source were the same as ones used by GearBest customers. This is plausible: I’m sure lots of people use the same email and password across multiple websites, risky as it is. Still, it may have highlighted a weakness in GearBest‘s security systems — and indeed its customer relations efforts — if it has taken a person Googling their own email address to expose this. I’ve reached out once more to GearBest on this matter and will update this page with any response.
Previous coverage (12/21): Popular online retailer GearBest may have been the subject of a recent hack, judging by the comments currently seen on Reddit. Apparently, the email, password and purchase information of around 150 supposed GearBest users has turned up online in a Pastebin file.
This was discovered by Redditor jamesdownwell after he Googled his personal email address (something he said he sometimes does as a “random security check”) last week.
jamesdownwell says he wrote about this in r/GearBest Reddit thread — which he says was removed without explanation — and has since commented elsewhere, like r/Android where we discovered it. He also published an email conversation he is alleged to have had with a support representative regarding the matter which started on December 15. Though the representative appears to acknowledge the seriousness of the matter, GearBest hasn’t made a public announcement regarding this, and the details are still available online via a cached page.
It’s currently being speculated that a vulnerability in the GearBest app has been exploited to retrieve the user information.
We aren’t going to republish that information here, for obvious reasons, but several people have commented testifying to the list’s authenticity. One person says they’ve been able to log into more than 20 accounts with some of the details found there, while another says an item was bought through their account without their knowledge.
What’s more, Android fansite Tutto Android claims to have already been in communication with GearBest, who has apparently acknowledged the situation and is now said to be investigating it.
We’ve contacted GearBest regarding the matter through several channels but have yet to receive a response; we’ll update this page as soon as we do. In the meantime, it might be worth changing your own GearBest password just to be on the safe side.