An improperly secured Amazon S3 “bucket” (server) belonging to World Wrestling Entertainment (WWE) had exposed the personal details of over three million fans.
The database was discovered this month by security researchers from the Kromtech Security Research Center. Kromtech staff contacted the WWE, whose employees secured the database within hours, along with a second one that researchers found after the first.
The first database exposed WWE user details
The first of these databases contained a big grouping of raw text files that contained information on WWE users, which presumably the company was using to study its fanbase and put together targeted marketing campaigns.
Kromtech says the database didn’t include duplicates and contained details on 3,065,805 users. The raw text files stored user data in the following format.
action|wweuid|email|address1|address2|city|region|zipcode|countrycode|firstname|lastname|mi|gender|dob|source|source2|phone|title|favstar1|favstar2|favstar3|ethnicity|education|income|newsletterPref|childrens age|childrens gender|cableprovider|adddate|network sub|profile status
This is not the only data that was on the server, but Kromtech says the rest of the files weren’t publicly accessible as the raw text files. Researchers estimate the raw text files took about 12% of the entire database’s content.
Second database exposed marketing data
Kromtech also says they found a second database, that also exposed between 10% and 12% of its content to the public. This S3 bucket contained spreadsheets with social media tracking of the WWE social media accounts; YouTube with weekly totals of plays, likes, shares, comments; and a large cache of saved Twitter posts.
Researchers say this data was broken down per country and was also most likely part of the WWE’s marketing efforts.
“Although no credit card or password information was included, and therefore not at risk, WWE is investigating a vulnerability of a database housed on Amazon Web Services (AWS), which has now been secured,” a WWE spokesperson said in a statement.
“WWE utilizes leading cybersecurity firms Smartronix and Praetorian to manage data infrastructure and cybersecurity and to conduct regular security audits on AWS,” the company added. “We are currently working with Amazon Web Services, Smartronix and Praetorian to ensure the ongoing security of our customer information.”