The US Patent and Trademark Office (USPTO) informed more than 60,000 trademark application filers that it mistakenly left their physical addresses exposed to the public Internet for three years.
A leaky API was the culprit, according to reports, and left data sets exposed, including addresses collected from applicants, which are mandatory when they file for a trademark with the USPTO.
“When we discovered the issue, we blocked access to all USPTO non-critical APIs and took down the impacted bulk data products until a permanent fix could be implemented,” the notice sent to impacted filers and shared with TechCrunch read.
A spokesperson added the leak affected about 3% of the applications filed during the three-year time period.
“We regrettably failed to locate some of the more technical exit points and properly mask the data exported from those points,” a USPTO spokesperson added. “We apologize for our mistake and will do better to prevent such an incident from happening again, while also preserving our ability to crack down on the historic amount of filing fraud we’re seeing originate overseas.”
Jason Kent, hacker in residence with Cequence Security, said in a statement provided to Dark Reading that this type of API misconfiguration is precisely what cyberattackers are trawling for across the Internet.
“The more technical exit points are the ones the attackers tend to prefer,” Kent said. “In 2023 API security parlance, they had API9:2023 Improper Inventory Management that allowed an attacker to find the endpoint, learn that it wasn’t authenticated API2:2023 Broken User Authentication that could have allowed an automated attacker to pull all of the impacted data in a very short period of time, API6:2023 Unrestricted Access to Sensitive Business Flows.”