The United States Postal Service confirms a long-lived security flaw on its website potentially exposed the data of 60 million users over the course of 2017 and 2018.
USPS web breach is now closed
Krebs on Security reports the Postal Service has now closed a loophole on its site that allowed anyone with an online account at USPS.com to view account details for approximately 60 million other users.
Among the data that may have been exposed to anyone who logged in and did a simple search was:
- email address
- user ID
- account number
- street address
- phone number
- authorized users
But note this well: While all that data and more was available, the USPS says it has no reason to believe any of it was in fact accessed by hackers.
The security flaw was discovered by a researcher who contacted USPS to report the exploit back in 2017.
Unfortunately, no action was taken to shore up the system at that time. It took the efforts of Krebs on Security to get the loophole closed earlier this month.
The exact point of weakness in the USPS.com system has been tied to a free program called Informed Visibility, which offers mail tracking and reporting in “near real-time.”
Informed Visibility, meanwhile, is a companion service to Informed Delivery — another free USPS program designed to offer a digital preview of incoming mail.
You can see our recent article for more about the opportunities and dangers around Informed Delivery, as well as similar tracking programs from FedEx, UPS and DHL.
Take steps to protect yourself now
If you want to shut potential identity thieves down before they wreak havoc in your life, a full-blown credit freeze is what you really need.
A credit freeze effectively shuts down a criminal’s ability to open new credit in your name even if they get your personal info in a breach.