According to security expert Jeremiah Fowler, the database measured over 200GB and contained over a billion records. The database contained a large number of searches on CVS.com and CVSHealth.com for medications and Covid-19 vaccines, and other items.
Surprisingly though, the database marked as “production” also housed a large number of email addresses.
- Shield yourself with these best identity theft protection services (opens in new tab)
- These are the best endpoint protection tools (opens in new tab)
- Check our list of the best firewall apps and services (opens in new tab)
“CVS Health acted fast and professionally to secure the data and a member of their Information Security Team contacted me the following day and confirmed my findings and that the data was indeed theirs,” Fowler noted (opens in new tab).
CVS told Forbes (opens in new tab) that the database was looked after by a third-party vendor, and was quickly taken down after Fowler flagged the leak.
Fowler noticed the email addresses from all the popular email service providers (opens in new tab) while perusing the database for personally identifiable information.
Mostly though, the database contained records that indicated visitors searching for a range of items.
During his communication with CVS, Fowler learnt that the database was a dump of the queries entered into the search bar. Since most of the email addresses were entered on mobile devices, he fathoms that the app’s user interface misled users into entering their email address in the search bar thinking they were logging into their account.
Fowler believes the inadvertent collection of email addresses, highlights the risks of incessant activity logging.
“I recommended to CVS that in the future they should block any searches that match email address patterns or domain names from being executed or logged. This could help avoid unwanted data from being collected or stored,” Fowler suggests.
- Protect your devices with these best antivirus software (opens in new tab)