Skip to main content

USPS fixes online flaw that exposed the data of 60 million customers

The United States Postal Service (USPS) has patched a security flaw that allowed anyone with an account at to view the account details of any of the 60 million people signed up to the service. In some cases, the flaw even allowed for changes to be made to those accounts.

In a post on his website, security specialist Brian Krebs said that he was recently contacted by a researcher who said he’d told the USPS about the flaw last year. After receiving no response, the researcher contacted Krebs, who took up the issue with the USPS. The Postal Service says it has now patched the bug.

Asked why it apparently took a year to deal with the issue, a USPS spokesperson told Digital Trends that it “has not been able to substantiate the claim … that the researcher reached out to us a year ago.”

Krebs said the bug concerned an authentication vulnerability in the API linked to a USPS service called “Informed Visibility,” which provides businesses, advertisers, and other bulk mail senders with access to near real-time tracking data connected with their mail campaigns and packages.

As well as exposing near real-time data about packages and mail being sent by USPS commercial customers, Krebs explained that the vulnerability let any logged-in user search the system for account details belonging to any other user, “such as email address, username, user ID, account number, street address, phone number, authorized users, mailing campaign data, and other information.”

Changes could also be made to that data, though Krebs noted that for some data fields, a validation step — such as a confirmation message sent to the email address linked to the account — prevented the alteration from taking place.

Highlighting the seriousness of the flaw, security researcher Krebs said that “no special hacking tools were needed to pull this data, other than knowledge of how to view and modify data elements processed by a regular web browser like Chrome or Firefox.” Those with the know-how would have been able to access information about who lived inside a particular premises by performing a regular search on its street address.

In a statement to Digital Trends, the Postal Service said: “Any information suggesting criminals have tried to exploit potential vulnerabilities in our network is taken very seriously. Out of an abundance of caution, the Postal Service is further investigating to ensure that anyone who may have sought to access our systems inappropriately is pursued to the fullest extent of the law.”

The USPS added that at the current time there is no evidence to suggest that customer records have been exploited in any way.

Editors' Recommendations

Trevor Mogg
Contributing Editor
Not so many moons ago, Trevor moved from one tea-loving island nation that drives on the left (Britain) to another (Japan)…
Skype now supports 911 calls in the U.S.
iPhone with the Skype mobile app loading screen.

Skype has updated its mobile and desktop apps to allow emergency calling in the U.S. for the first time in its 18-year history. Calls to 911 are also possible via Skype’s web-based service, notes for the recently released Skype 8.80 showed.

Emergency calling from Skype could come in handy if you find yourself in a tricky situation without a phone but have a computer close by, or if phone lines are down but you can get online.

Read more
The Interplanetary File System: How you’ll store files in the future
Cloud storage for downloading an isometric. A digital service or application with data transmission. Network computing technologies. Futuristic Server. Digital space. Data storage. Vector illustration.

When you upload a file or send a tweet, your information is stashed in some corporation-owned mega data center in the middle of nowhere. The endless racks of computers in these facilities hold millions of ledgers, and with a flick of a switch, companies can censor or misuse the data.

But what if instead of handing it to, say Amazon or Google, your data is broken down into pieces and scattered across the globe so that no one except you and your key -- not even the government -- can access it?

Read more
The best hurricane trackers for Android and iOS in 2022
Truck caught in gale force winds.

Hurricane season strikes fear into the hearts of those who live in its direct path, as well as distanced loved ones who worry for their safety. If you've ever sat up all night in a state of panic for a family member caught home alone in the middle of a destructive storm, dependent only on intermittent live TV reports for updates, a hurricane tracker app is a must-have tool. There are plenty of hurricane trackers that can help you prepare for these perilous events, monitor their progress while underway, and assist in recovery. We've gathered the best apps for following storms, predicting storm paths, and delivering on-the-ground advice for shelter and emergency services. Most are free to download and are ad-supported. Premium versions remove ads and add additional features.

You may lose power during a storm, so consider purchasing a portable power source,  just in case. We have a few handy suggestions for some of the best portable generators and power stations available. 

Read more