The U.S. Postal Service (USPS) has been found sharing the personal information of millions of Americans, including customer addresses, with prominent technology companies. This discovery has raised significant concerns about privacy violations and the risk of doxxing.
An investigation uncovered that USPS was using hidden tracking pixels on its website to gather user data, including addresses from those logged into the Informed Delivery service. This data was shared with tech companies without users’ knowledge or consent. With over 62 million users of the Informed Delivery service as of March 2024, the scale of the breach is substantial.
USPS officials have stated that the Postal Service uses an analytics platform for internal purposes to understand product usage and marketing strategies. They emphasized that personal information is not sold or shared with third parties. However, they admitted to being unaware of the platform’s configuration that led to this issue.
A representative from one tech company confirmed that their policies prohibit the transmission of sensitive information through their tools and that their system is designed to prevent such occurrences. Representatives from the other involved companies have not yet responded to inquiries.
Testing confirmed that addresses from the Informed Delivery service were being sent to these tech companies. Alongside addresses, other data, such as information about users’ computers and browsers, was collected. Though pseudonymized, this data could still potentially be used to re-identify individuals.
The breach also involved tracking numbers entered on the USPS website, which were shared with various advertisers and tech companies. USPS has not revealed whether it will seek the deletion of the collected data or take additional actions.