Three million WWE fan accounts exposed online

Unsecured AWS server hosts fans' names, addresses, and birth dates

Databases containing the personal information of more than three million WWE fans have been found lying unprotected online, allowing anyone with the correct address to view the plain text data.

Bob Dyachenko, of security firm Kromtech, told Forbes that he had discovered a massive trove of data stored on an Amazon Web Services (AWS) S3 server without username or password protection.

Advertisement - Article continues below

The data included home and email addresses, the ages and dates of birth of customers and their children, as well as their genders and ethnicity, although no financial information was stored. Dyachenko speculated that the database likely belonged to one of the WWE's marketing teams, as social media tracking data was also found.

If that wasn't bad enough, a second database was found shortly after, held on another AWS server and again entirely unprotected. This one appeared to hold data primarily on European customers, and contained only addresses, names and telephone numbers. An initial Forbes investigation pointed to the WWE online store as a likely source.

Dyachenko alerted the WWE on 4 July, which then quickly removed the databases from the servers and said it was investigating the incident alongside cyber security firms Smartonix and Praetorian. There is no obvious indication that the databases have been exposed at this stage, however an individual would have only required the right address to view the entirety of the data set. 

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

"Although no credit card or password information was included, and therefore [is] not at risk, WWE is investigating a potential vulnerability of a database housed on a third party platform," a WWE spokesperson said, in a statement to IT Pro.

"In today's data-driven world, large companies store information on third party platforms, and unfortunately have been subject to similar vulnerabilities. WWE utilises leading cyber security firms to proactively protect our customer data."

Salim Hafid, product manager at cloud security firm Bitglass, told IT Pro that the leak "is yet another major organisation's lapse in cloud security and data privacy awareness".

"Proper configuration and controls that prevent data leakage are critical for platforms like AWS where millions of user records are often stored and readily accessed," added Hafid. "As public cloud adoption rises, organizations must have configurations and controls tightly sealed on all fronts - their customer's sensitive personal data depends on it."

Advertisement - Article continues below

IT Pro has approached the WWE for comment on the ongoing investigation.

A number of significant data breaches have occurred due to unsecure AWS buckets, typically the result of misconfigurations of servers

Last month it was discovered that almost 200 million US voter details were made publicly available when a Republican Party contractor left them open on an Amazon database. A similar oversight also left 1.5 million medical records of US citizens exposed in 2015.

Picture: Bigstock

Featured Resources

Successful digital transformations are future ready - now

Research findings identify key ingredients to complete your transformation journey

Download now

Cyber security for accountants

3 ways to protect yourself and your clients online

Download now

The future of database administrators in the era of the autonomous database

Autonomous databases are here. So who needs database administrators anymore?

Download now

The IT expert’s guide to AI and content management

Your guide to the biggest opportunities for IT teams when it comes to AI and content management

Download now
Advertisement

Recommended

Visit/security/vulnerability/355276/businesses-brace-for-second-fujiwhara-effect-of-2020-as-patch-tuesday
vulnerability

Businesses brace for second 'Fujiwhara effect' of 2020 as Patch Tuesday looms

9 Apr 2020
Visit/security/cyber-security/355267/zoom-hires-ex-facebook-cso-to-boost-platform-security
cyber security

Zoom hires ex-Facebook CSO Alex Stamos to boost platform security

8 Apr 2020
Visit/security/vulnerability/355236/hp-support-assistant-flaws-leave-windows-devices-open-to-attack
vulnerability

HP Support Assistant flaws leave Windows devices open to attack

6 Apr 2020
Visit/security/cyber-security/355234/safari-bug-let-hackers-access-cameras-on-iphones-and-macs
cyber security

Safari bug let hackers access cameras on iPhones and Macs

6 Apr 2020

Most Popular

Visit/mobile/mobile-phones/355239/microsofts-patent-design-reveals-a-mobile-device-with-a-third-screen
Mobile Phones

Microsoft patents a mobile device with a third screen

6 Apr 2020
Visit/software/video-conferencing/355257/taiwan-first-country-to-ban-zoom-amid-security-concerns
video conferencing

Taiwan becomes first country to ban Zoom amid security concerns

8 Apr 2020
Visit/security/cyber-security/355271/microsoft-gobbles-up-corpcom-domain-to-keep-it-from-hackers
cyber security

Microsoft gobbles up corp.com domain to keep it from hackers

8 Apr 2020