A security hole in a mail preview program from the U.S. Postal Service could have exposed the data of more than 60 million customers , giving third parties access to information including when critical documents and checks are scheduled to arrive in people’s mailboxes.
An anonymous researcher discovered the weakness in the “Informed Delivery” service, noting that a web component called an API allowed pretty much anyone with a USPS account to view details of other users and, in some cases, to modify those people’s account details.
The USPS says it has patched the security hole, but seemingly only did so after security expert Brian Krebs inquired about it. The anonymous researcher who alerted him claims to have alerted postal authorities about the issue more than a year ago.
Informed Delivery has been under scrutiny for some time. On Nov. 6, the U.S. Secret Service reportedly issued an internal alert that criminals were using the feature to commit a variety of crimes. The alert came after seven people were arrested in Michigan for signing people up for credit cards and retrieving them before the resident was aware of them, running up nearly $400,000 in charges.
Informed Delivery sends a summary of incoming mail to USPS customers, offering details about what will be arriving that day, including checks, important documents, and more. That’s valuable information for identity thieves and common criminals.
The security flaw also let any user find the account details of other users, including email address, user ID, phone number and more, according to Krebs. The postal service says it has no information that any customer records were accessed. Officials also say they’re investigating further “out of an abundance of caution”.
The USPS has had a rough 2018. In August, it accidentally released an unredacted copy of a Congressional candidate’s personal security file and has beencaught in the middle of a feud between President Donald Trump andAmazon most of the year. This PR black eye comes just over a month after the agency announced it was seeking the biggest stamp price hike in its history.