Ireland Regulator: LinkedIn Processed Email Addresses Of 18 Million Non-Members
Google Admitted Tracking Users' Location Even When Phone Setting Disabled

Massive Data Breach At U.S. Postal Service Affects 60 Million Users

United States Postal Service logo The United States Postal Service (USPS) experienced a massive data breach due to a vulnerable component at its website. The "application program interface" or API component allowed unauthorized users to access and download details about other users of the Informed Visibility service.

Security researcher Brian Krebs explained:

"In addition to exposing near real-time data about packages and mail being sent by USPS commercial customers, the flaw let any logged-in usps.com user query the system for account details belonging to any other users, such as email address, username, user ID, account number, street address, phone number, authorized users, mailing campaign data and other information.

Many of the API’s features accepted “wildcard” search parameters, meaning they could be made to return all records for a given data set without the need to search for specific terms. No special hacking tools were needed to pull this data, other than knowledge of how to view and modify data elements processed by a regular Web browser like Chrome or Firefox."

Geez! The USPS has since fixed the API vulnerability. Regardless, this is bad, very bad, for several reasons. Not only should the vulnerable API have prevented one user from viewing details about another, but it allowed changes to some data elements. Krebs added:

"A cursory review by KrebsOnSecurity indicates the promiscuous API let any user request account changes for any other user, such as email address, phone number or other key details. Fortunately, the USPS appears to have included a validation step to prevent unauthorized changes — at least with some data fields... The ability to modify database entries related to Informed Visibility user accounts could create problems for the USPS’s largest customers — think companies like Netflix and others that get discounted rates for high volumes. For instance, the API allowed any user to convert regular usps.com accounts to Informed Visibility business accounts, and vice versa."

About 13 million Informed Delivery users were also affected, since the vulnerable API component affected all USPS.com users. A vulnerability like this makes package theft easier since criminals could determine when certain types of mail (e.g., debit cards, credit cards, etc.) arrive at users' addresses. The vulnerable API probably existed for more than one year, when a security researcher first alerted the USPS about it.

While the USPS provided a response to Krebs on Security, a check at press time of the Newsroom and blog sections of About.USPS.com failed to find any mention of the data breach. Not good. Transparency matters.

If the USPS is serious about data security, then it should issue a public statement. When will users receive breach notification letters, if they haven't been sent? Who fixed the vulnerable API? How long was it broken? What post-breach investigation is underway? What types of changes (e.g., employee training, software testing, outsource vendor management, etc.) are being implement so this won't happen again?

Trust matters. The lack of a public statement makes it difficult for consumers to judge the seriousness of the breach and the seriousness of the fix by USPS. We probably will hear more about this breach.

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.

Your Information

(Name and email address are required. Email address will not be displayed with the comment.)