Update: A new WWE statement reads:
Although no credit card or password information was included, and therefore not at risk, WWE is investigating a vulnerability of a database housed on Amazon Web Services (AWS), which has now been secured. WWE utilizes leading cybersecurity firms Smartronix and Praetorian to manage data infrastructure and cybersecurity and to conduct regular security audits on AWS. We are currently working with Amazon Web Services, Smartronix and Praetorian to ensure the ongoing security of our customer information.
Original Story: Due to a seemingly easy-to-fix IT error, three million WWE fans had their personal information just sitting there, readily available for anybody to look at. This didn’t just include things like their addresses—the information revealed also dealt with fans’ educational backgrounds, earnings and even ethnicities.
The leak was discovered by Bob Dyachenko of security firm Kromtech, per Forbes. Dyachenko uncovered the page that was easily accessible by anybody that had the correct web address. All of the information was just sitting there in plain text.
The data was hosted through an Amazon Web Services S3 server, and seemed to have a bunch of data consistent with the contents of the account details section for customers of the WWE Network subscription service. Additionally, another large database of large European fans’ information was leaked that seemingly came from the WWE online store.
According to Forbes, the information was removed by the WWE on July 4. “Although no credit card or password information was included, and therefore not at risk, WWE is investigating a potential vulnerability of a database housed on a third party platform,” a WWE spokesperson said. “In today’s data-driven world, large companies store information on third party platforms, and unfortunately have been subject to similar vulnerabilities. WWE utilizes leading cybersecurity firms to proactively protect our customer data.”
The inclusion of children’s ages and ethnicity is also some cause for concern as—even though that information would have been given voluntarily—WWE does say it shares personal information with selected, unnamed partners. It’s an ethical gray area, to be sure, and one made exponentially more difficult considering the massive breach and mishandling of information.