USPS Suffers Major Breach, Leaving Millions Exposed

60 Million Users Exposed Due to USPS’s Overlooked Security Breach

The United States Postal Service (USPS) just fixed a security vulnerability that previously allowed anyone who has an account at usps.com, to view account details for approximately 60 million other users.  What is worse is, in some cases, users were able to access and modify account details for accounts they should not have access to.  Just think of the damage someone could do with that power!

According to Krebs on Security, this vulnerability is over a year old.  The researcher who originally found it reportedly informed the USPS over a year ago without a resolution.  Once Brian Krebs confirmed the vulnerability and reached out to USPS, a fix was promptly issued.

The security vulnerability was also overlooked by the Office of Inspector General, who recently conducted an IT audit.  The audit findings were primarily focused on the encryption process of data going from point A to point B.  However, they missed the lack of controls within the usps.com website as a whole.  Prior to the fix, once logged into the user’s account, they could abuse their access.  Now, a second authentication piece has been added in order to authorize certain account changes.

It does not appear user passwords were leaked as a result of this vulnerability.  However, it would be wise to review account information to ensure accuracy.

7,778 total views, 45 views today

(Visited 6,288 times, 13 visits today)

13 thoughts on “USPS Suffers Major Breach, Leaving Millions Exposed

  1. Since you all know what should be done etc etc and how incompetent everyone is – YOU follow in their footsteps apply for a job with gov’t agencies, see how things are handled and then give an opinion.

  2. Lol! Do you think that maybe our gov. Is responsible for the majority of all hacking? If they can’t take it from you legally? Well, how can they find a terrorist in hiding and execute him, but seldom bust a hacking or cyber ring? Think about it!

  3. USPS is still under the executive branch of Federal Government and tax payers are still footing the bill for fed employees pensions. Federal employees are in a position to be proactive. They are only reactive.

  4. This is yet another example of easily-fixed, govt ignore. someone put in an un authorized change of address for me to a town I have never been to. The change was done online!! without verification or ID…..yet all of my mail stopped coming. needless to say the fraudulent credit cards opened in my name soon followed. The police said no crime was committed “here”…the postal inspectors listened and eventually recommonded that I can “cancel the change of address” which I had already done. This is still allowed by the USPS

  5. Did this happen because those in the position to make the necessary changes thought they were too big to be exploited or are they just incompetent?

  6. What amazes me is the number breaches and seriousness of the info being exposed, the length of time this issue (governmentiwide) this has been going on, and how slow the agencies have been to fix the breaches…adequately fix these breaches. It is very well known for quite sometime that Russia, China, N. Korea (And other entities) have been conducting cyberwarfare against the U.S. in general…the US Government in particular. Is there a “5th Column” within our governmen involved in (allowing) this problem to go unchecked, inadequately remedied?

    • @Peter O:
      Unfortunately, I don’t think that would fix the problems. The company would just appoint a “fall guy” and they could carry on as normal, fire proof and bullet proof. What is needed is class action on behalf of the millions of people affected by these criminal oversights. In the above case, if the 60 million initiated class action for $100 each (a modest sum) the cost would be 6 billion dollars. That would be enough for even the largest corporation/business to take
      the security of private information seriously, and with a bit of luck, put a few of them out of business permanently.

    • @Peter O:

      Blame lies with the white-collar bosses/CEO’s who don’t want to pay for proper IT.

      The guy at the bottom, Mr. Blue-collar IT guy who keeps asking in vain for money & support, gets blamed and fired. Situation continues.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.