The U.S. Postal Service has reportedly exposed the data of 60 million users due to faulty web programming.
According to Tech Crunch, a “broken” API used by the U.S. Postal Service “exposed more than 60 million users and allowed a researcher to pull millions of rows of data by sending wildcard requests to the server.”
“The USPS service, called InformedDelivery, allows you to view your mail before it arrives at your home and offered an API to allow users to connect their mail to specialized services like CRMs,” explained Tech Crunch. “The anonymous researcher showed that the service accepted wildcards for many searches, allowing any user to see any other users on the site.”
The broken API was discovered by former Washington Post reporter Brian Krebs, who reported on his blog that “ID thieves have figured out ways to hijack identities and order new credit cards in victims’ names before the USPS can send their notification — possibly by waiting until the cards are already approved and ordered before signing up for Informed Delivery in the victim’s name.”
After several attempts from Krebs to reach out to the U.S. Postal Service, they eventually patched the API.
“Computer networks are constantly under attack from criminals who try to exploit vulnerabilities to illegally obtain information. Similar to other companies, the Postal Service’s Information Security program and the Inspection Service uses industry best practices to constantly monitor our network for suspicious activity,” declared the U.S. Postal Service in a statement. “Any information suggesting criminals have tried to exploit potential vulnerabilities in our network is taken very seriously. Out of an abundance of caution, the Postal Service is further investigating to ensure that anyone who may have sought to access our systems inappropriately is pursued to the fullest extent of the law.”