Where's Wade Barrett when you need him? I'm afraid I've got some bad news.
Apparently there is a huge unprotected WWE database online that contains personal information on more than 3 Million users--information like home & email addresses, birthdates, ethnicities, household earnings, educational backgrounds, and even information about users' children--and it's available to anyone who knows which web address to search.
According to a report on Forbes.com, Bob Dyachenko, who works at a security firm called Kromtech, all data is stored in plain text, "sitting on an Amazon Web Services S3server without username or password protection." It seem likely that database was simply misconfigured by WWE's IT department or partner. WWE said it was investigating.
Dyachenko suspects the database belonged to one of WWE's many marketing teams, because it was also included "reams of social media tracking data, including posts from superstars and fans." It's possible the data all came from WWE Network profiles, as the kinds of data in the leak are the same as would be provided in user's account section.
Unfortunately, that's not all.
According to Dyachenko, there was another unprotected database that contained tons of information primarily on European fans, though in this database there were only addresses, telephone numbers and names, a review of samples of the data revealed. Forbes contacted a few customers, trying to validate the leaked data, and it appears this database was compiled from the Online WWE Shop, since the WWE Network doesn't require a phone number to set up.
WWE said that they immediately took steps to remove the databases from the web as soon as they were alerted, and were quick to add that "no credit card or password information was included, and therefore not at risk. WWE is investigating a potential vulnerability of a database housed on a third party platform," the company's spokesperson said.
"In today's data-driven world, large companies store information on third party platforms, and unfortunately have been subject to similar vulnerabilities. WWE utilizes leading cybersecurity firms to proactively protect our customer data."
WWE didn't say where the information came from or how long the database was open on Amazon. The spokesperson said the firm was working with "a leading cybersecurity firm" to determine the cause of the leak.
The Forbes article also delves into the question of how ethical it is to be compiling ethnicities of fans, as well as information about their children, such as age ranges and the like.
A WWE spokesperson reached out to Fightful.com and issued the following statement.
"Although no credit card or password information was included, and therefore not at risk, WWE is investigating a vulnerability of a database housed on Amazon Web Services (AWS), which has now been secured. WWE utilizes leading cybersecurity firms Smartronix and Praetorian to manage data infrastructure and cybersecurityand to conduct regular security audits on AWS. We are currently working with Amazon Web Services, Smartronix and Praetorian to ensure the ongoing security of our customer information.”
The full article is available at this link.
View the discussion thread.