WWE News: Data Leak Exposes Personal Information Of Millions Of Wrestling Fans

A database containing personal information from millions of wrestling fans may have been left unsecured and exposed for anyone to access as the result of a simple IT error, Forbes reported.

Bob Dyachenko, chief communication officer at Kromtech—maker of antivirus MacKeeper— discovered an unprotected database belonging to the WWE that contained data from more than three million people.

Read: Voter Registration Data Breach: Unsecure Server Leaves Info On Nearly 200 Million Americans Exposed

The database, which sat on an openly accessible Amazon Web Services server, contained names, email addresses, home addresses, dates of birth, gender identities, educational backgrounds, earnings and ethnicities. All of the information was stored in plaintext and could be read in its entirety.

There was no username or password protecting the database, meaning it was accessible to anyone who knew the web address it was hosted at—or anyone who may have stumbled across it, willingly or not, like the security researcher who spotted it.

It’s not entirely clear where the personal information stored in the database came from. Given the amount of identifying points of data, it is believed that the information may have come from a marketing department. It is possible the users listed in the database are users of the subscription-based WWE Network video service, which boasts about two million subscribers.

The WWE was informed of the exposed database by Dyachenko after he discovered it. The company has since taken steps to secure the server and ensure user data is no longer readily accessible to anyone who finds the database.

Read: VIN Leak: 10M Auto Records, Personal Details Leak Online

In a statement, the WWE stressed that new credit card or password information was included in the database and users are not at risk of having their account accessed—though if their email address in the database has been involved in a previous leak that did include a password like the Yahoo or LinkedIn breaches, it is possible their account could be at risk.

“WWE is investigating a vulnerability of a database housed on Amazon Web Services (AWS), which has now been secured,” the company said in a statement. “WWE utilizes leading cybersecurity firms Smartronix and Praetorian to manage data infrastructure and cybersecurity and to conduct regular security audits on AWS. We are currently working with Amazon Web Services, Smartronix and Praetorian to ensure the ongoing security of our customer information.”

The WWE database leak mirrors a similar occurrence earlier this year when a massive collection of nearly 200 million voter registration files that could be used to identify American voters was discovered online on an unsecure server. The records were also discovered on an unprotected Amazon server, which was owned by Republican data analytics firm Deep Root Analytics.

The database, which has since been secured, contained voter names, dates of birth, home addresses, phone numbers and voter registration details including party affiliation. The data sets also listed voter ethnicity and religion.

"This WWE fan data leak is yet another major organization’s lapse in cloud security and data privacy awareness,” Salim Hafid, Product Manager at cloud security firm Bitglass, told International Business Times.

“Proper configuration and controls that prevent data leakage are critical for platforms like AWS where millions of user records are often stored and readily accessed. As public cloud adoption rises, organizations must have configurations and controls tightly sealed on all fronts – their customer’s sensitive personal data depends on it," he said.