Breach Brief – Amazon, USPS

Published On November 23, 2018 | By Tom Huskerson | Breach Briefs

Amazon, the world’s largest retailer, is quietly notifying its customers of a data breach by sending the affected account holders an email. Amazon officials  admit to the data breach but are keeping extremely closed mouth about the details.

The email, sent out Wednesday, offers no details as to how long customers’ personal information was exposed or where inside Amazon’s vast network the breach took place. It’s also devoid of any information regarding the number of customers impacted, geographic location, specific purchase, or any information that would concern their millions of customers.

 

Below is the full text of the Amazon email.

From: Amazon.com
Sent: 21 November 2018 10:53
To: a——–l@hotmail.com
Subject: Important Information about your Amazon.com Account

Hello,

We’re contacting you to let you know that our website inadvertently disclosed your name and email address due to a technical error. The issue has been fixed. This is not a result of anything you have done, and there is no need for you to change your password or take any other action.

Sincerely,
Customer Service
http://Amazon.com

An Amazon representative declined to offer any additional information regarding the breach except to say “We have fixed the issue and informed customers who may have been impacted.” However Amazon does give a way a simple yet vital indicator that the breach was more an internal error than an outside attack. The email clearly states, in the final sentence, that you need not change your password or take any action. That’s Amazon for “my bad!”

 

United States Postal Service

A much more severe breach occurred at the post office website. The U.S. Postal Service repaired a security flaw that permitted any USPS.com account holder to view account details for some 60 million other users. To make matters worse, in some cases an account holder could actually modify account details. And this existed for more than a year after the Postal Service was reportedly informed of it.

The issue came to light when an anonymous researcher reported the discovery to KrebsOnSecurity.com. The researcher claimed he had notified the Postal Service more than a year ago got no response and and nothing was done. Krebs contacted the USPS once the findings were confirmed resulting in immediate action.

The problem was caused by a authentication weakness in a USPS Web component known as an “application program interface,” or API. The API is basically, a set of tools defining how various parts of an online application such as databases and Web pages should interact with one another. KrebsOnSecurity performed a review of suspect API  and discovered that the flaw allow near real-time data about USPS mail and package sent by commercial customers. It also the let any logged-in USPS.com user query the data for account details belonging to any other user. The information exposed include, email addresses, username, user ID, account number, street address, phone number, authorized users, mailing campaign data and other information.

According to some security experts this as a glaring, even juvenile security error on the part of the USPS. According to International Computer Science Institute researcher Nicholas Weaver the API should have confirmed user requesting the data had the proper permissions to access the data.

“This is not even Information Security 101, this is Information Security 1, which is to implement access control,” Weaver said. “It seems like the only access control they had in place was that you were logged in at all. And if you can access other peoples’ data because they aren’t enforcing access controls on reading that data, it’s catastrophically bad and I’m willing to bet they’re not enforcing controls on writing to that data as well.” 

 

Like this Article? Share it!

About The Author

Tom Huskerson Bio Born in Richmond Virginia Tom Huskerson is a military veteran who settled in California after his discharge. He attended Santa Barbara City College where he began his writing career as a campus reporter. He worked as an intern news reporter for the Santa Barbara News-Press writing feature stories before moving on to San Francisco. At San Francisco State University Tom studied broadcast communications and began to focus on the Internet. He completed his graduate thesis on Internet advertising. Tom was the first student to ever focus on the Internet as a graduate student at San Francisco State University. After graduation he went to work for Zona Research in California’s Silicone Valley. As a research associate Tom supported senior analyst writing on the latest developments in the Internet industry. During the dot com boom Tom worked for several web businesses as a market researcher and analyst. As a writer and researcher Tom has authored various technical works including a training program for Charles Schwab security. Other projects included professional presentations on workplace violence and hiring security contractors. Tom has returned to focus on writing both fiction and non-fiction works and blogging for a travel website. He has published two books of short stories and completed two novels. Tom is the owner of Scribe of Life Literature and EbonyCandle. Most recently Tom has launched the blog African American Cyber Report. The blog is the result of his desire to inform the African American community of the dangers and benefits of the cyber age. In his blog Tom reports on information security, new and analysis, scams and hoaxes, legal happenings and various topics that arise from the age of information. Tom believes that technology is a necessary tool for black people and they should know what is happening. Tom writes believing that techno speak is for the professional and that valuable information can be communicated using plain language. As a result he has embraced the motto, Less Tech, More Knowledge.

Leave a Reply

Your email address will not be published. Required fields are marked *