The United States Postal Service is under fire, and this time it has nothing to do with lost packages. Instead, a major security flaw exposed sensitive data on around 60 million registered USPS users. Here’s what we know so far.
Details of the USPS compromise
On November 18, KrebsOnSecurity announced that USPS suffered a major security incident. Until a few days ago, anyone with a USPS account could view near real-time package data sent by commercial customers, as well as the account details of users.
The USPS compromise was due to a weakness in their “Informed Visibility” application program interface (API). The API accepted “wildcard” searches, meaning that savvy users could access all records without using any special hacking tools or even entering search criteria, like a tracking number.
The compromised data included email addresses, usernames, account numbers, addresses, phone numbers, and other personally identifiable information. It doesn’t appear that passwords could be accessed. The exploit also allowed users to request changes to the accounts of others. However, the most significant changes — like address changes — required two-factor authorization.
How did USPS respond to the compromise?
KrebsOnSecurity reports that the USPS resolved the issue shortly after their organization contacted the Postal Service. However, Krebs was alerted to the issue by a source that warned the USPS of this vulnerability more than a year ago.
While the USPS didn’t address its delayed response, it did assert its commitment to security:
“Computer networks are constantly under attack from criminals who try to exploit vulnerabilities to illegally obtain information. Similar to other companies, the Postal Service’s Information Security program and the Inspection Service uses industry best practices to constantly monitor our network for suspicious activity. Any information suggesting criminals have tried to exploit potential vulnerabilities in our network is taken very seriously. Out of an abundance of caution, the Postal Service is further investigating to ensure that anyone who may have sought to access our systems inappropriately is pursued to the fullest extent of the law.”
A history of security and privacy concerns
This isn’t the only security-related scandal to hit the USPS in recent months. Back in September, the Secret Service released an internal memo warning that identity thieves would abuse another popular USPS system, Informed Delivery. The vulnerability was discovered as part of a fraud case where crooks leveraged the system as part of a scheme to steal more than $400,000.
While the full damage of Informed Delivery and Informed Visibility are unknown, one thing is for certain — privacy advocates are becoming increasingly vocal over many USPS policies. This is especially true when it comes to the agency photographing every piece of mail it processes, a practice that was revealed by Edward Snowden and later confirmed by the Postal Service in 2013.
What can you do to protect yourself?
If you’re one of the 60 million Americans with a USPS account, your data was likely accessible for as long as the API weakness was in place. However, this doesn’t mean that an identity thief or cybercriminal necessarily accessed your information. Still, it’s important to monitor your credit reports and scores frequently — a best practice you should follow regardless of the USPS compromise.
Although there was nothing you could do to prevent your data being exposed by the USPS, there are many other steps you can take to protect your online privacy. If you’d like to learn what they are, consider downloading our complimentary guide, Protecting Your Privacy: Best Practices for Mobile, Social, and Search Settings.