Over 1.5 million customer records from online electronics seller GearBest, as well as Zaful, Rosegal, and DressLily, were stored in an unprotected Elasticsearch server, according to a joint report from VPNMentor (archived here) and security researcher Noam Rotem. The brands involved are owned by Shenzhen Globalegrow E-commerce Co., Ltd, a controversial seller of Chinese-made products.

The VPNMentor report indicates that orders, payments and invoices, and member databases were visible, exposing information including customer names and addresses, phone numbers, email address, IP addresses, date of birth, national ID and passport information, account passwords, and payment information, in addition to information about what products were ordered.

SEE: Brute force and dictionary attacks: A guide for IT leaders (Tech Pro Research)

The information was available, unencrypted. The report notes that “some email addresses contained some hashing,” postulating that “it was a partially-implemented security measure that is simply not doing its job.” Given access to this data, researchers were able to log in to two Gearbest accounts as the original user, giving them the ability to “change user orders, manipulate account details, and spend monies from saved payment methods.”

Hackers also gained to access to Globalegrow’s Apache Kafka installation, which the report states “allows malicious hackers to manipulate information, reassign database properties, and even disable entire sections of the company’s server.”

A statement from GearBest claims, in part:

Immediately upon being aware of this incident, our security experts have initiated an investigation to verify the allegations made by Mr. Noem Rotem. While we found that all our own established databases or servers used for storing or processing Date are protected with all necessary encryption measures end are absolutely safe, some of the external tools we use to temporarily store Data may have been accessed by others and therefore Data security may have been compromised.

On March 1st, 2019… firewalls were mistakenly taken down by one of our security team members for reasons still being under investigation. Such unprotected status has directly exposed those tools for scanning and accessing without further authentication. Currently, we believe this may have affected our newly registered customers as well as our old customers who placed orders with Gearbest during the time from March 1st, 2019 to March 15th, 2019, in a total number of about 280,000.

In a series of tweets, Rotem claims (translated) that the explanation is “Quite delusional, but more common than you’d like to think,” adding “Do you see the date when they claim that the violation has begun? It’s… not accurate. Not even close. And number of customers exposed? Again, far from reality. At this point, it’s getting a little too much to try and fix them.”

TechCrunch reporter Zack Whittaker contacted GearBest, though indicated that “the company neither secured the data nor responded to our request for comment.” Whittaker also notes that GearBest suffered a security breach in December 2017 resulting in account compromise.

Globalegrow was the subject of a BuzzFeed investigation in 2016, following a litany of user complaints that the company’s fashion brands “regularly sucker consumers into buying clothing straight from China,” using images stolen from Instagram and other social networking services.

For more, check out 51% of companies publicly exposed cloud storage services in the past year, what California’s move to collect back taxes from Amazon Fulfillment users means for your business, and software vulnerabilities are becoming more numerous, less understood.