CBS Health database leaks over 1B user records which are left plainly exposed online! Over a billion search records which tightly belong to CVS health were somewhat accidentally posted online and easily accessible to the public some time earlier this year.

CBS Health Database Leak

According to Website Planet, the database actually belonged to the healthcare and retail giant and it was not password protected. This fact was discovered at the end of March 2021 by a independent cybersecurity researcher known as Jeremiah Fowler. The report that was published conducts research directly into unsecured internet data.

The database, which is technically about 204 gigabytes in size and also totaled 1.1 billion records, had no form of authentication that was in place to help prevent unauthorized entry, according to the researcher. The data that was exposed online was said to include customer email addresses, customer user IDs, and even customer searches directly on the CVS Pharmacy website for medications and even the COVID-19 vaccine.

CVS Consumer Data Collected

According to FierceHealthcare, the data which was collected from both CVS.com and CVS Health actually represents website visitor logs which show everything that visitors had searched for. It is noted that this could be very valuable analytic data for companies to be able to see just how consumers are all interacting with their own platform.

Fowler spotted a number of records that indicated visitors were able to search for a number of items which include medications, CVS products, and COVID-19 vaccines. Hypothetically, it could be really easy to match the Session ID along with what they were searching for or at least added a shopping cart during the session before trying to identify customers using the supposedly exposed emails.

Read Also: Apple SECRET Health Care Program Casper Could Allow Doctors and Patients Be More Constantly Connected

CVS Health Representatives

It is noted that unsecured data does post quite a great risk that the email addresses which are exposed can be used as targets for phishing attacks, according to researchers. Fowler noted that the team of researchers then immediately sent a disclosure notice directly to CVS Health and general public access was restricted the very same day.

In the new statement, a CVS spokesperson was able to confirm that in March, a security researcher did in fact notify the company regarding publicly accessible databases that would actually contain non-identifiable CVS Health metadata. CVS then stated that it worked quickly with the vendor to be able to take the database down.

Fowler also reveals that CVS representatives noted that the customer emails weren't technically from CVS customer account records and were actually entered into the search bar by visitors. Fowler still notes that unfortunately, the only one to blame is human error for both the misconfiguration that was able to publicly expose the database as well as the website visitors that entered their very own email addresses in the search bar.

Related Article: Peloton Bike+ Compromised as Hackers Bypass Boot Verification Process | McAfee Warns the Public

This article is owned by Tech Times

Written by Urian B.