A security hole in a mail preview program from the U.S. Postal Service could have exposed the data of more than 60 million customers, giving third parties access to information including when critical documents and checks are scheduled to arrive in people’s mailboxes.
An anonymous researcher discovered the weakness in the “Informed Visibility” service, noting that a web component called an API allowed pretty much anyone with a USPS account to view details of other users and, in some cases, to modify those people’s account details.
The USPS says it has patched the security hole, but seemingly only did so after security expert Brian Krebs inquired about it. The anonymous researcher who alerted him claims to have alerted postal authorities about the issue more than a year ago.
Informed Visibility provides end-to-end mail tracking information for incoming mail, including checks, important documents, and more. That’s valuable information for identity thieves and common criminals.
The security flaw also let any user find the account details of other users, including email address, user ID, phone number and more, according to Krebs. The postal service says it has no information that any customer records were accessed. Officials also say they’re investigating further “out of an abundance of caution”.
The USPS has had a rough 2018. In August, it accidentally released an unredacted copy of a Congressional candidate’s personal security file and has been caught in the middle of a feud between President Donald Trump and Amazon most of the year. This PR black eye comes just over a month after the agency announced it was seeking the biggest stamp price hike in its history.
Editor’s note: An earlier version of this story incorrectly said the security weakness was tied to the USPS “Informed Delivery” service instead of “Informed Visibility”. The error has been corrected.