The USPS just made its most important delivery of the year — a fix to a vulnerability it has had on its site for some time.
The Verge reports that all 60 million of its users were exposed.
“The vulnerability included all 60 million user accounts on the website. It was caused by an authentication weakness in the site’s application programming interface (API) that allowed anyone to access a USPS database offered to businesses and advertisers to track user data and packages. The API should have verified whether an account had permissions to read user data but USPS didn’t have such controls in place.”
Users were not simply exposed by sending and receiving mail, only becoming potentially compromised should they have conducted business on the site which required a user name. The user names were also exposed by the vulnerability, along with attending addresses. So if you have been one of the many users who have utilized USPS services online, hackers may have gathered some of your private information.
The United States Postal Service has recently been in the news due to another price increase on stamps and other delivery services. Those increases were the result of yet another year of financial woes, struggles which have left the USPS deeper in debt. It is reasonable to imagine that every aspect of the service is struggling, not just the information technology division.
Hackers would have found it trivial to take advantage of this vulnerability. The information was out there for anyone skilled hacker to grab. It was not a hard computer science problem, nor did it require specialized skills or the extensive resources of an enemy nation. It appears to be a matter of corporate negligence — the kind that Sen. Ron Wyden of Oregon believes is worthy of jail time for executives who mishandle user data.
Right now, there is no way to know if anyone actually took advantage of the vulnerability. The USPS wants to assure everyone that, out of an “abundance of caution,” they are looking into the matter. They have claimed that they will make sure that anyone trying to inappropriately access the system will be prosecuted to the fullest extent of the law.
It is possible that the postal service said something similar four years ago — when their systems were hacked, affecting 800,000 employees and 2.9 million customer service records.
If you use USPS online, it goes without saying that you should change your password. If possible, delete your account and set up a different one entirely. You should also be sure not to reuse user names and passwords across sites and services. Having that information compromised on one site makes you vulnerable everywhere else you reuse that information.