Kromtech Security Researchers discovered portions of the WWE’s unified web site and network management system.Back to blog
World Wrestling Entertainment also known as the WWE is a popular American entertainment company and promoter of professional wrestling. Although wrestling is their primary focus they also earn revenue from films, music, video games, product licensing, direct product sales, and more.
This Week Security Researchers from Kromtech discovered two open and publically accessible Amazon S3 Buckets that contained massive trove of information collected by third parties agencies specifically for WWE marketing purposes. We estimate that around 12 percent of all the information (several gigabytes) was set to “Public” access and available for anybody with internet connection to view and download.
First of the unsecured Amazon S3 bucket contained a big grouping of emails in txt files. The data were from 2014-15 and contain fans names, email, physical address and results of demographic survey of their fans by asking education, age and race, childrens age and childrens gender. The total count of records was 3,065,805 and researchers checked to see if there were duplicates and in the sampling it appears that they were all unique.
Data fields for 3M+ records:
action|wweuid|email|address1|address2|city|region|zipcode|countrycode|firstname|lastname|mi|gender|dob|source|source2|phone|title|favstar1|favstar2|favstar3|ethnicity|education|income|newsletterPref|childrens age|childrens gender|cableprovider|adddate|network sub|profile status
Despite all of the scripts and arguably staged matches they have a massive fanbase and following. WWE is watched by 15 million fans each week in the United State alone and in 2016 they announced that they are expanding into China giving them a potential new fanbase of 1.4 Billion!
One of the archives stored with public access also included configuration file with another WWE related bucket name.
The second bucket was also partially (around 12-15 percent of data) set for public access and contained another giant portion of marketing and customer data, including billing details (addresses, user names etc) of several hundreds thousands European customers from 2016.
The documents also included spreadsheets with social media tracking of the WWE social media accounts, like YouTube with weekly totals of plays likes, shares, comments and a more indepth look at how they manage their social media and gauge fan interactions. The list was even broken down by country so one would imagine that they can better target their ads or localized content.
Also found was a large cache of Twitter posts, saved as search results for specified keywords related to WWE.
Big entertainment companies never share that kind of stuff publicly so it is a rare view into how the WWE uses big data to understand their fanbase and the content they produce.
Both buckets were secured within a couple of hours after we sent notification messages to the emails of the WWE Corp developers found in the first bucket. However, no answer or feedback was received as of for how long these data were exposed, how many customers had their info exposed, and how many IP addresses may have accessed the database by now.
Despite being a global entertainment organization, very little is known about the behind the scenes inner workings of the privately held company. According to some estimates the WWE is valued worth is as much as $4 Billion. Many of the folders were protected and did not allow external access. No information on the wrestlers or staff was accessible, but the leak of fan emails, names and other data is a cyber security wake up call.
This news comes on the heels of a series of hacks involving the WWE Divas’ leaked nude photos and even a sex tape scandal involving British superstar Paige. Also hacked were WWE star Maryse, Victoria, and Alexia Bliss.
Attention - Portions of this article may be used for publication if properly referenced and credit is given to Kromtech Security Research Center.
Do you have security tips or suggestions? Contact: firstname.lastname@example.org