Pro wrestling giant World Wrestling Entertainment notified fans on Thursday that a database containing personal information of three million fans was left on an insecure server. According to the WWE, personal information included names, both home and email addresses, earnings, ethnicity, children’s age ranges, birthdates and additional personally identifiable information.
Kromtech Security Research Center, which found the database, said the data was accessible as plain text records located on an unprotected Amazon Web Services S3 server. It blamed either WWE or an IT solution provider for misconfiguring the Amazon S3 database hosting the data.
“Although no credit card or password information was included, and therefore not at risk, WWE is investigating a vulnerability of a database housed on Amazon Web Services (AWS), which has now been secured.”
Jason Powell, of Prowrestling.net added, “This is obviously troubling information for WWE and for the company’s image from a security standpoint.”
The data leak is the latest in a string of exposed databases found by Kromtech and part of a larger trend of misconfigured databases hosted on Amazon servers. In January, Kromtech found thousands of MongoDB databases left unintentionally insecure by businesses, many hosted on AWS 3S servers.
In February, Kromtech researchers found tens of thousands of sensitive documents insecurely stored online belonging to a print and marketing firm. In April, it found a California auto loan company left the names, addresses, credit scores and partial Social Security numbers of up to 1 million people exposed on an insecure online database. In January, Kromtech found 400,000 audio files associated with a Florida company’s telemarketing efforts were stored insecurely online.
In June another researcher, Chris Vickery, a cyber risk analyst at security firm UpGuard, found detailed voter profiles of 198 million voters left exposed on an Amazon S3 account by Republican Party-affiliated data broker Deep Root Analytics.
With the most recent leak, the WWE was notified of the security issue on July 4 by a reporter at Forbes, which had been tipped off to the insecure database by Kromtech. According to the Forbes report, the database didn’t just include PII on 3 million WWE fans, but also information on European fans that most likely shopped online at the WWE store.
According to the report the database also “contained reams of information primarily on European fans, though the information contained only addresses, telephone numbers and names.”
It’s unclear from the WWE statement and the Forbes report whether any of data openly available via the database had been accessed by a malicious threat actor.