60 Million Users Data Exposed by USPS!
Are you one of the 60 million users with an account at usps.com? If so, anyone with a usps.com account was able to view your account details and, in some cases, to modify account details. This included email addresses, usernames, user IDs, account numbers, street addresses, phone numbers, mailing campaign data, and other private or sensitive information. While it appears that user passwords were likely not accessible via the vulnerability, malicious entities could have harvested the data for targeted spam campaigns, phishing, and social engineering efforts.
The problem, which has now been fixed, stemmed from an authentication weakness in a USPS web API (application program interface). The API was part of an initiative called “Informed Visibility” which allowed businesses, advertisers and other bulk mail senders to “make better business decisions by providing them with access to near real-time tracking data” about mail campaigns and packages.
The flaw in the API let ANY logged-in user search the system for account details belonging to other users. USPS has stated that it has no information that the vulnerability was leveraged to exploit customer records and that they quickly mitigated the weakness. Fixing information disclosure and authentication weaknesses is often quite simple, so to prevent this issue from happening, organizations should invest in and prioritize this fix before having to face the negative effects of a user data breach!
Written by Emily McNeeley, CIPP/US, Attorney, Intuitive Edge Team