Skip to main content

USPS Vulnerability May Have Exposed Millions of Users

By December 12, 2018June 2nd, 2022Cybersecurity

Do you have an account on  If so, you’re not alone.  Tens of millions of Americans use it daily for a variety of purposes.  Unfortunately, if you do have an account, it may have been compromised.

Recently, the USPS announced the discovery of a critical security vulnerability that exposed the account information of more than sixty million customers to literally anyone with a account.

The flaw was discovered by a researcher who has chosen to keep his/her identity a secret, but essentially worked like this:

Any user logged into could perform a search using any number of wildcard search parameters.  Given that, any user could search for the details of literally any other user on the system and get them.  Note that nearly any detail could be collected in this manner, including:

  • User name
  • Email address
  • Mailing address
  • Phone number
  • Authorized users
  • And more

Worst of all, the process of obtaining all the data could easily be automated and simply left to run and collect.

Setu Kulkarni, the VP of Strategy and Business Development at WhiteHat Security had this to say about the flaw:

“APIs are turning out to be a double-edged sword when it comes to internet scale B2B connectivity and security.  APIs, when insecure, break down the very premise of uber connectivity they have helped establish.

To avoid similar flaws, government agencies and companies must be proactive, not just reactive, in regard to application security.  Every business that handles consumer data needs to make security a consistent, top-of-mind concern with an obligation to perform the strictest security tests against vulnerable avenues:  APIs, network connections, mobile apps, websites, and databases.  Organizations that rely on digital platforms need to educate and empower developers to code using security best practices through the entire software lifecycle, with proper security training and certifications.”

The worst part about this incident was the fact that the unnamed security researcher reported the issue to the post office over a year ago.  It took that long for the agency to finally take action, and when they did, they were able to solve the problem in less than 48 hours.

While it’s unknown if anyone took advantage of the flaw, there’s no sense taking chances.  Assume the worst and act accordingly.

Jason Manteiga

Jason J. Manteiga, Vice President of Olmec Systems, has been part of the company for over the past 20 years. He believes that having a great work environment and supportive team, is the ultimate key to success. Since being in the IT realm for over 25 years, Jason, along with Olmec Systems, has been on the Inc. 5000 “List of America’s Fastest Growing Private Companies” and Channel Futures MSP 501 “Top Managed Service Providers in North America,” along with other awards and nominations. Jason earned his Bachelor Degree in Information Systems from the New Jersey Institute of Technology. He also holds certifications in Microsoft MCSE, VMWare VCP, and Cisco CCNA. In his spare time, Jason is a contributor for The Center for Social & Legal Research (Privacy Exchange) and a member of the Morris County Chamber of Commerce. His hobbies include cycling and kayaking. He currently lives in New Jersey with his wife, two daughters and son.