The US Postal Service has patched a 'catastrophic' security flaw that exposed the data of 60 million customers.

Security investigator KrebsOnSecurity discovered a vulnerability on USPS' website that allowed anyone to see online users' street addresses, usernames, phone number and other personal information.

Worryingly, an independent security researcher notified USPS of the flaw more than a year ago, but the service didn't take action until this week after it was contacted by Krebs.

Scroll down for video

KrebsOnSecurity discovered a vulnerability on USPS' website that allowed anyone to see online users' street addresses, usernames, phone number and other personal information

WHAT WAS THE SECURITY FLAW? Krebs On Security discovered the flaw in an application program interface related to USPS' InformedDelivery service. This lets users see their mail before it arrives to their home. The flaw gave access to a USPS database, which included 60 million users' personal information, including email addresses, usernames, street addresses and other data. USPS says it has since patched the issue but will continue to investigate it further. Advertisement

The flaw was located in an application program interface (API) tied to USPS' InformedDelivery service, which lets users see their mail before it arrives to their doorstep.

InformedDelivery essentially gives users a summary of what's arriving in the mail, including important, sensitive documents like checks and passports, among other things.

It made public 'near real-time data' about packages and mail being sent to customers, as well as a slew of personal information.

This includes things like phone numbers, street addresses, email addresses, usernames, account numbers and user IDs.

Krebs said there was an authentication weakness in the API that would allow almost anyone to access a USPS database with this information.

What's more, anyone with knowledge of the vulnerability could have changed another account's email address and phone number, potentially giving them full control over the account.

The USPS took action on the issue this week after it was notified of it by Krebs.

The flaw was located in an application program interface (API) tied to USPS' InformedDelivery service, which lets users see their mail before it arrives to their doorstep

A security researcher told Krebs that the API should have made sure the account making the information requests had the proper permissions to access it.

'This is not even Information Security 101, this is Information Security 1, which is to implement access control,' Nicholas Weaver, a UC Berkeley researcher, told Krebs.

'It seems like the only access control they had in place was that you were logged in at all.

'And if you can access other peoples’ data because they aren’t enforcing access controls on reading that data, it’s catastrophically bad and I’m willing to bet they’re not enforcing controls on writing to that data as well,' he added.

While the service said it has no evidence that any customer records were accessed, it didn't address the vulnerability until more than a year after it was initially tipped off to the flaw by an independent researcher.

That said, the USPS said it will continue to look into the issue 'out of an abundance of caution.'

USPS' InformedDelivery has come under scrutiny in the past. Earlier this month, the Secret Service warned criminals used the service to commit identity theft and credit card fraud

'Any information suggesting criminals have tried to exploit potential vulnerabilities in our network is taken very seriously,' a USPS spokesperson told Krebs.

'Out of an abundance of caution, the Postal Service is further investigating to ensure that anyone who may have sought to access our systems inappropriately is pursued to the fullest extent of the law.'

USPS' InformedDelivery has come under scrutiny in the past.

Earlier this month, the Secret Service warned that criminals were using the InformedDelivery service to commit identity theft and credit card fraud schemes.

It came after seven people were arrested for using the system to sign people up for credit cards, then retrieving them before the account owner received them, racking up $400,000 worth of charges in the process.