US & World
Healthcare.gov has been racked with technical problems since the site's launch, but a new vulnerability may have unintentionally exposed users. Last week, researcher Ben Simo reported that the site's Password Reset function was vulnerable to social engineering, and that by manipulating the site, an attacker could deduce whether a given username was in use and what email address was associated with that username. The vulnerability was reportedly fixed on Monday, but for days after, crucial user info was exposed to anyone with rudimentary web skills.
The email exposure may sound minor, but it's crucial info for healthcare fraudsters, who may seek to target citizens as they enter the exchange. It's also a bad sign for the overall design of the site, since the hack in question is relatively simple to execute or predict. On Twitter, the researcher was careful to note that he did not hack any Healthcare.gov accounts, but deduced the vulnerability from observing publicly available documents and disclosed it in the spirit of public safety.
We'll email you a reset link.
If you signed up using a 3rd party account like Facebook or Twitter, please login with it instead.
Choose an available username to complete sign up.
In order to provide our users with a better overall experience, we ask for more information from Facebook when using it to login so that we can learn more about our audience and provide you with the best possible experience. We do not store specific user data and the sharing of it is not required to login with Facebook.