US Postal Service took a year to fix API flaw that exposed 60 million users’ data
The US Postal Service has finally fixed a security bug that allowed anyone logged onto the service to view the personal details of other 60 million account holders.
The vulnerability was earthed over a year ago, but was patched yesterday after Krebs on Security flagged the issue as an anonymous security researcher informed them about the flaw.
According to researcher, it was caused by an authentication weakness in the application programming interface (API) that let users to access a USPS database for tracking packages.
The data that bug exposed includes email address, username, user ID, account number, street address, phone number, authorized users, mailing campaign data and more.
USPS has released an official statement, and said that the incident is under investigation.
“We currently have no information that this vulnerability was leveraged to exploit customer records,” USPS says. “The information shared with the Postal Service allowed us to quickly mitigate this vulnerability.
“Computer networks are constantly under attack from criminals who try to exploit vulnerabilities to illegally obtain information,” it continued. “Similar to other companies, the Postal Service’s Information Security program and the Inspection Service uses industry best practices to constantly monitor our network for suspicious activity.”
“Any information suggesting criminals have tried to exploit potential vulnerabilities in our network is taken very seriously. Out of an abundance of caution, the Postal Service is further investigating to ensure that anyone who may have sought to access our systems inappropriately is pursued to the fullest extent of the law,” USPS said.