Per a Krebs on Security report, the flaw was first discovered more than a year ago by an independent security researcher, who informed the mail service but never received word back until Krebs reached out last week on the researcher's behalf.

The API was part of the USPS "Informed Visibility" program which is designed to help empower bulk mail senders with near real-time tracking data. Problem is, the API was programmed to allow any number of "wildcard" search parameters enabling anyone who logged into the system and had a basic understanding of modifying parameters in the web browser console could pull up reams of data on other users. Everything from usernames and account numbers to physical addresses and phone numbers were there for the taking.

"This is not even Information Security 101, this is Information Security 1, which is to implement access control," Nicholas Weaver, a researcher at the International Computer Science Institute, told Krebs. "It seems like the only access control they had in place was that you were logged in at all. And if you can access other peoples' data because they aren't enforcing access controls on reading that data, it's catastrophically bad and I'm willing to bet they're not enforcing controls on writing to that data as well."

Engadget has reached out the the USPS for comment and will update this post upon its reply.

Update 11/21/18 4:12pm ET: The a rep for the USPS has issued the following statement: