A tool used by USPS customers to update their addresses failed to work properly and allowed anyone to view and alter the information of any other of the 60 million registered users of the system. Visible and affected data includes not only name and address but could also expose social security numbers.
The USPS claims to have just fixed the service called Informed Delivery which is used by 60 million Americans to track mail and package delivery. Criminals could see details of what packages were being delivered to people’s homes on what days. A researcher blew the whistle on this problem by notifying Krebs on Security a year after the same researcher notified the USPS of the problem without receiving a response. Krebs on Security verified the existence of the problem and notified the USPS who addressed the issue.
A statement issued by the USPS to Krebs on Security said:
“Out of an abundance of caution, the Postal Service is further investigating to ensure that anyone who may have sought to access our systems inappropriately is pursued to the fullest extent of the law.”
Informed Delivery is a tool used by businesses, such as bulk mail advertisers “make better business decisions by providing them with access to near real-time tracking data” about mail campaigns and traffic according to the USPS website. The flaw exposed the tracking data of mail and packages sent by USPS commercial customers and also let any logged-in user view the account details of any other users, such as email address, username, user ID, account number, street address, phone number, authorized users, mailing campaign data and other information.
Krebs on Security provided more detail on how no specific hacking tools were required to expose the data or search for specific users accounts. Only a normal web browser was required. It was easy to search for specific users or make broad searches based on all account that met broad criteria. It would be easy to target all women, or anyone in Chicago or people in a specific zip code, or everyone registered with a gmail.com email address using simple searches.
One particularly frightening example of how this tool could be used was to track the movements of a person who had relocated to get away from an abusive person. By entering the former address into the system, you could get their email address and telephone number. Then by searching either of those two pieces of information, you could find the street address currently associated with that person.
At MyProfyle, we believe this threat is further proof that everyone’s information is at risk from many different sources and that we are all exposed multiple times per year. The solution to identity fraud is not to try to lock your identity or seek unobtainable privacy but to control your identity – not just your credit – by putting yourself in the position know of, approve or decline activity conducted in your name. That’s MyProfyle Free For Life ™ Identity Protection.
Did You Find This Post Interesting?
Join our email list to get the latest blog posts sent to your inbox