A huge WWE user leak has exposed personal information belonging to 3 million wrestling fans.
An IT error on the WWE web browser left users’ personal information open to anyone, which included home addresses, earnings, ethnicity, date of birth, and their children’s information.
The data breach could have been a result of IT errors of either WWE or an IT partner. The website is hosted on Amazon Web Services S3, which has recently seen other data leaks on its infrastructure.
The WWE webpage contained information on more than 3 million users, on not just one, but two unprotected databases.
One database contained much more sensitive data compared to the second, as the second only contained names, telephone numbers and home addresses. Although neither database contained financial details or passwords.
It is unclear which part of the WWE Corporation the databases came from, but the data included is the same as those in the account details section for customers of the subscription based video streaming service and also the WWE online store.
The databases were open to absolutely anyone who knew the right web address to search, as there was no username or password protection in order to gain access. Not only was the data open to all, the data was unencrypted and stored in plain text, making it easy for cyber criminals to steal all the data.
The database was likely to be misconfigured in error, as WWE very swiftly removed the databases from the Web after being flagged about the availability of them.
We ask Mark James, ESET IT Security Specialist, whether this server should have been password protected, and why cybercriminals would want to access data like this.
“Absolutely, we should never have public facing data that does not have some form of authentication to access.
“Security measures are in place for a reason but occasionally either through design or during testing, these may be switched off to make life easier, then overlooked or purposely left without security because it may not seem a target or a concern in the first place.
“We need to understand that all data has a value.
“With the tools available for anyone to download and use that would enable them to simply scan ports and look for open databases, and we must assume that every database is a potential target.
“Data breaches happen every single day and we must treat “data” as something that WILL be targeted and stolen.
“It’s not down to us to determine if the data we hold is valuable, cybercriminals have already made that decision for us.”
Have you ever had information stolen in a breach? Did you blame the company? Or the hacker? Let us know on Twitter @ESETUK.
Join the ESET UK LinkedIn Group and stay up to date with the blog. If you are interested in seeing where ESET has been featured in the news then check out our ‘In the news’ section.