The flaw exposed personal data for 60 million ‘Informed Visibility’ accounts.
“It was caused by an authentication weakness in the site’s application programming interface (API) that allowed anyone to access a USPS database offered to businesses and advertisers to track user data and packages. The API should have verified whether an account had permissions to read user data but USPS didn’t have such controls in place.”
Users were not simply exposed by sending and receiving mail, only becoming potentially compromised should they have conducted business on the site which required a user name. The user names were also exposed by the vulnerability, along with attending addresses. So if you have been one of the many users who have utilized USPS services online, hackers may have gathered some of your private information.
Users’ personal data including emails, phone numbers, mailing campaign data were all exposed to anyone who was logged into the site. Additionally, any user could request account changes for another user, so they could potentially change another account’s email address and phone number, although USPS does at least send a confirmation email to confirm the changes.
The United States Postal Service has recently been in the news due to another price increase on stamps and other delivery services. Those increases were the result of yet another year of financial woes, struggles which have left the USPS deeper in debt. It is reasonable to imagine that every aspect of the service is struggling, not just the information technology division.