Tech Crunch reports that a broken U.S. Postal Service API exposed over 60 million users' data by allowing a researcher to pull information by sending wildcard requests to the server. The breach has since been addressed after numerous requests to USPS.
“We’ve increasingly seen this type of leaked information — email addresses, street addresses, and phone numbers — used to add credibility in targeted 'spear-phishing' messages," says Mark Risher, head of account security at Google. "Identifying these messages can be quite tricky, so users are encouraged to use a mail client and web browser with robust anti-phishing warnings; the default app on your phone or laptop may not offer these protections. Users with Google Accounts should also consider taking a Security Checkup to ensure their apps and devices are in the best-protected state.”
The USPS service, known as InformedDelivery, allows users to track their mail and offers an API to allow users to connect their mail to specialized services.
Tech Crunch reports that the researcher, who has not been identified, showed that the service accepted wildcards for many searchers, enabling any user to see someone's information on the site.
The API vulnerability has since been fixed, but there is no telling if data has been mishandled.