USPS Leaves User Account Data Exposed For A Year

For better or worse, we tend to trust organizations within or associated to the federal government. The United States Postal Service (USPS) is one of those agencies we usually count on to deliver our mail and packages safely and “Neither snow, nor rain, nor heat, nor gloom of night, stays these couriers from the swift completion of their appointed rounds.” That said, in the age of technology, sometimes trust is tested and recently, the USPS has done just that for users who have accounts on the website.

A cybersecurity researcher, who has asked to remain anonymous, found a vulnerability in the software that runs the “Informed Visibility” program. This is a program that helps business customers track mail in real-time. Not only did it expose this real-time tracking information, but it also allowed any user that was logged in to search for account details belonging to other users. Data they could have queried included email address, account number, phone number, street address, username, and other data.

Those who do have accounts on the usps.com website are strongly encouraged to change passwords. Do this by logging directly into the account and going to the “My Profile” page, then “Preferences.” Click on “PASSWORD,” and Voila! Easy as that.

The page even gives you the guidelines for creating a strong password. Click on the little question mark icon next to “New Password” and it says “Passwords need 8 characters, including an uppercase and lowercase letter, a number, and a special character. They are case-sensitive and cannot include your username or more than two repeat characters in a row. Your password can include special characters – ( ) . & @ ? ‘ # / “ + !” Those are pretty good tips from the post office. Include in that not to use dictionary words, personal information, or other easy to guess words and you’ve got a strong password.

If you stored payment information in your account, you should watch for suspicious charges on those accounts for at least one year or until the account numbers are replaced with new ones.

Unfortunately, the post office held onto this flaw for over a year, although the researcher claims to have told them at that time and yet, the organization didn’t react to it. After journalist, Brian Krebs contacted it, it was addressed with 48 hours.

It’s unclear that anyone actually exploited the flaw, but just to be safe, change your password for your usps.com account. The Postal Service is investigating it further.

Stickley on Security
Published November 25, 2018