How a Simple API Flaw Exposed 60 Million US Postal Service Records

Not all data breaches involve sophisticated hacking. Sometimes, a simple security flaw is enough to expose millions of records.

In 2018, a vulnerability in a system operated by the United States Postal Service allowed access to data from more than 60 million user accounts.

The problem was caused by an insecure API.

What Happened

The issue existed in a USPS system used by customers to manage mail services. The platform relied on an API to retrieve account information.

However, the API did not properly restrict access to user records. By modifying a user ID in the request, it was possible to retrieve information belonging to other users.

This type of vulnerability is known as broken object level authorisation, a common API security issue.

What Data Was Exposed

The exposed data included:

• Names

• Email addresses

• User IDs

• Account details

Although financial information was not involved, the scale of the exposure made it a major security concern.

Why This Matters

APIs power modern applications, but weak access controls can make them dangerous. A single flaw can allow attackers to retrieve large amounts of data.

Security assessments and penetration testing help identify API vulnerabilities like this before they lead to large-scale data exposures.