Massive WWE Leak Exposes 3 Million Wrestling Fans' Addresses, Ethnicities And More

Posted by SGCS Admin, 17-07-2017

WWE fans take note: an IT error may have left your personal information open to anyone, including addresses, educational background, earnings and ethnicity.

 

Earlier this week, Bob Dyachenko, from security firm Kromtech, told Forbes he'd uncovered a huge, unprotected WWE database containing information on more than 3 million users, noting it was open to anyone who knew the web address to search. Looking at samples of the leaked information provided by Dyachenko, all data was stored in plain text.

 

The data - which also included home and email addresses, birthdates, as well as customers' children's age ranges and genders where supplied - was sitting on an Amazon Web Services S3 server without username or password protection, Dyachenko said. It's likely the database was misconfigured by WWE or an IT partner as in other recent leaks on Amazon-hosted infrastructure. WWE said it was investigating.

 

It's unclear what branch of the WWE Corporation the database came from, though Dyachenko suspects it belonged to one of its many marketing teams, given it was accompanied by reams of social media tracking data, including posts from superstars and fans. The kinds of data in the leak are the same as those in the account details section for customers of the WWE Network,  a subscription-based video streaming service for wrestling events.

 

That wasn't the only database WWE was leaking, Dyachenko added. It left another on Amazon's hosting service that contained reams of information primarily on European fans, though the information contained only addresses, telephone numbers and names, a review of samples of the data revealed. According to one customer, who responded to Forbes' inquiries trying to validate the leaked data, it was likely this database was from an online WWE store as "the network doesn't require a mobile number."

 

Shortly after WWE was alerted to the leak by Dyachenko on July 4, the company moved swiftly to remove them from the web, making them inaccessible.

 

"Although no credit card or password information was included, and therefore not at risk, WWE is investigating a potential vulnerability of a database housed on a third party platform," a spokesperson from the wrestling giant said.

 

"In today's data-driven world, large companies store information on third party platforms, and unfortunately have been subject to similar vulnerabilities. WWE utilizes leading cybersecurity firms to proactively protect our customer data."

 

WWE didn't say where the information came from or how long the database was open on Amazon. The spokesperson said the firm was working with "a leading cybersecurity firm" to determine the cause of the leak.

 

Ethical ethnicity issues

 

While the security lapse is cause for concern, that WWE is also collecting ethnicity information and children's age ranges has privacy advocates anxious. Amongst the categories within the ethnicity bracket were caucasian, African American, American Indian, Hispanic and Asian, while options for children's age ranges were under 13, over 13, both or none. It would appear, however, that the fans had volunteered that information, having the choice to do so on their WWE Network profile.

 

Joseph Lorenzo Hall, chief technologist at the Center for Democracy & Technology, pointed to the issues Facebook had in late 2016 after it was criticized for offering advertisers the ability to target ads at ethnic groups. Facebook responded by preventing advertisers targeting ads at specific ethnicities for housing, employment or credit. WWE does not state in its privacy policy how it will use ethnicity or earnings data, though does say it shares personal information with selected, unnamed partners.

 

"It's unfortunate by being a WWE fan, you're now part of a data breach. Addresses with number and ages of children makes me nervous," added Hall.

 

He also called on Amazon to do more for those leaving data open on its cloud servers. "It's unfortunate Amazon doesn't have a 'neighborhood patrol' of sorts for S3 that checks for open buckets with sensitive data - jiggling the locks, checking for apparent misconfigurations - and then takes them offline." Amazon hadn't responded to a request for comment at the time of publication.

 

Multiple leaks have occurred on Amazon in recent months, largely thanks to misconfigurations of servers. The most notable was that of a Republican Party marketing contractor that left data on more than 198 million voters on an open database in June. In that case the information appeared to be amassed from a wide range of sources, and included addresses, birthdates, phone numbers and sentiment analyses for predicting individuals' opinions, religion and ethnicity.

 

Source: https://www.forbes.com/sites/thomasbrewster/2017/07/06/massive-wwe-leak-exposes-3-million-wrestling-fans-addresses-ethnicities-and-more/#65d990f075dd