Skip to main content

CVS accidentally leaks a billion user site records

Best cloud databases
(Image credit: Pixabay)

Cybersecurity researchers have chanced upon an unsecured database of healthcare and retail giant CVS that could have been used to identify customers.

According to security expert Jeremiah Fowler, the database measured over 200GB and contained over a billion records. The database contained a large number of searches on CVS.com and CVSHealth.com for medications and Covid-19 vaccines, and other items.

Surprisingly though, the database marked as “production” also housed a large number of email addresses. 

“CVS Health acted fast and professionally to secure the data and a member of their Information Security Team contacted me the following day and confirmed my findings and that the data was indeed theirs,” Fowler noted.

CVS told Forbes that the database was looked after by a third-party vendor, and was quickly taken down after Fowler flagged the leak.

Incessant logging

Fowler noticed the email addresses from all the popular email service providers while perusing the database for personally identifiable information.

Mostly though, the database contained records that indicated visitors searching for a range of items.

During his communication with CVS, Fowler learnt that the database was a dump of the queries entered into the search bar. Since most of the email addresses were entered on mobile devices, he fathoms that the app’s user interface misled users into entering their email address in the search bar thinking they were logging into their account.

Fowler believes the inadvertent collection of email addresses, highlights the risks of incessant activity logging.

“I recommended to CVS that in the future they should block any searches that match email address patterns or domain names from being executed or logged. This could help avoid unwanted data from being collected or stored,” Fowler suggests.

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.