WWE fans, beware: a cybersecurity error left the personal information of more than 3 million users unprotected online, free to access for anybody who knew what to search for.
The wrestling entertainment company confirmed the authenticity of the report and has removed the database, but the damage may have already been done.
Unprotected WWE Online Database
The leaked data, all of which was stored in plain text, included information such as home address, email address, educational background, ethnicity, earnings, and age ranges of children, were found on an Amazon Web Services S3 server with no username or password protection.
The discovery was made by Bob Dyachenko, from German security firm Kromtech. He suspects that the database belonged to one of WWE's marketing teams, as it included a significant amount of social media tracking data such as posts made by the WWE superstars and its fans. The kinds of data involved in the leak are similar to what is asked from users for the account details section of the WWE Network, which is a subscription-based video streaming service for the wrestling company's fans.
Dyachenko, however, added that there is another WWE database that was leaked on Amazon Web Services, with the second database containing information mostly on European customers. The information contained in the database, however, only included names, telephone numbers, and addresses, likely from an online WWE store as the WWE Network does not ask users for their mobile numbers.
What Is WWE Doing About The Information Leak?
The unprotected database was likely caused by a misconfiguration from WWE's technical department or from one of the company's IT partners.
Center for Democracy & Technology chief technologist Joseph Lorenzo Hall also pointed out the issue of WWE collecting information on ethnicity, while calling out Amazon for allowing data to be left unprotected on its cloud servers. Such incidents already happened before, including data on 198 million voters inadvertently uploaded by Republican Party marketing contractor Deep Root Analytics.
WWE said that it is currently investigating the cause for the massive data leak. The company took the unprotected databases down as soon as Dyachenko informed it on July 4.
"WWE is investigating a potential vulnerability of a database housed on a third party platform" said a company spokesperson, who reiterated that more sensitive information such as passwords and credit card details were not included in the leak.
Nevertheless, in a world where cybersecurity threats are on the rise, leaked personal information could lead to cases of identity theft. For WWE fans who have WWE Network accounts, it would be wise to remain vigilant and report any cases of identity theft that you may encounter.