Living in fear that a nameless individual may brute force your username and password is one thing, but what if your information was just available to anybody with the right URL?
That question is one that became very real for three million WWE fans this week when Bob Dyachenko from security firm Kromtech discovered a WWE database just sitting on an Amazon Web Services S3 server, in plain text.
The scary part is that all you needed to access the database was the correct URL.
In a report by Forbes, the database included home and email addresses, birth dates, the age of customers’ children and genders. The WWE has said that no credit card or password information was stored in the database.
It’s believed that the database belonged to a marketing team employed by WWE, as it contained social media tracking data.
A second database – also on Amazon’s service – contained information about European fans including addresses, telephone numbers and names.
Forbes reports, “According to one customer, who responded to Forbes’ inquiries trying to validate the leaked data, it was likely this database was from an online WWE store as “the network doesn’t require a mobile number.”
The cause of the data leak (if you can call it that) is currently being investigated but its more than likely it was caused by an incorrect configuration of the database.
Both databases have been removed and are currently inaccessible.[Image – CC BY SA Randall Chancellor]