The US Postal Service has taken an entire year to fix a security vulnerability on the usps.com website that revealed data of all 60 million of its users. Anyone could see the personal account information of these users including details such as usernames and street addresses. An independent researcher had reportedly identified this security vulnerability over a year ago.
The USPS apparently took its sweet time in patching this vulnerability as Krebs on Security reports that USPS only applied the patch earlier this week. This means that the vulnerability left the user data of 60 million people completely exposed for an entire year.
The vulnerability allowed anyone to access a USPS database that’s offered to businesses and advertisers who want to track user packages and data. This vulnerability in the application programming interface or API should have ascertained whether an account had the permissions to access that data but no such controls had been put in place.
Personal data such as phone numbers, emails, mailing campaign data, and more were exposed to anyone logged into usps.com. Users could also request account changes for some other user. The street addresses are searchable through the database so any logged in user could obtain them and thus no hacking tools were required to exploit this vulnerability.
“Any information suggesting criminals have tried to exploit potential vulnerabilities in our network is taken very seriously. Out of an abundance of caution, the Postal Service is further investigating to ensure that anyone who may have sought to access our systems inappropriately is pursued to the fullest extent of the law,” the USPS said in a statement.