0

This is the first time I've posted to this site, so if this question belongs somewhere else please let me know. I recently was using an online service which I will not name, and I realized that there were some pages on the site containing a lot of personally identifying information including my social security number, address, name, date of birth, etc., and that these pages do not require my account credentials to access as long as the URL is known. There are on the order of 20 alpha-numeric characters in relevant portion of the URL, so it seems unlikely someone will just stumble across this page, but this still seems like a bad practice to me. (Further, it is not clear to me that the character string is random; it might have some structure to it that could be used to find similar pages of other users.)

Should this be concerning to me, or is this normal? If it should be concerning, what type of action can I take to deal with it?

Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434
j_v_wow_d
  • 101
  • Does this answer your question? [Is a website published in an obscure directory comparably secure to being placed behind a login?](/questions/89108/), [Is random URL token secure enough for file attachments and other user content?](/questions/112021/), [Is a long, random string in a URL considered adequate protection from unauthorised access?](/questions/83801), [Are random URLs a safe way to protect profile photos?](/questions/58215). – Steffen Ullrich Apr 09 '22 at 06:03

0 Answers0