One billion website records exposed in CVS data leak — but here's why you shouldn't worry

A CVS pharmacy counter in Saugus, Massachusetts, in 2019.
(Image credit: QualityHD/Shutterstock)

More than a billion records generated by user visits to websites operated by pharmacy chain CVS were exposed online in an unprotected database — but don't panic just yet. 

The 1,148,327,940 database entries, totaling 204 GB of data, consisted of user logs, the type of data that websites keep about their visitors. Most of those items were dull — "add to cart, configuration, dashboard, index-pattern, more refinements, order, remove from cart, search, server," as stated by researcher Jeremiah Fowler in a blog post on the WebsitePlanet site today (June 16).

There was slightly more sensitive information as well, such as randomly generated user IDs and session IDs, plus whether the visitor was accessing the website from a smartphone or a desktop computer. The data also showed what people searched for on the various CVS-run websites.

You're not supposed to be able to tie the user IDs to any particular individuals, and the CVS websites appear to be set up so that doesn't happen. 

Unfortunately, the database also contained a number of email addresses, which weren't supposed to be there. It appears that some users typed their own email addresses into search bars on the CVS websites, especially if they were accessing the sites from a mobile phone. 

"When reviewing the mobile version of the CVS site it is a possible theory that visitors may have believed they were logging into their account, but were really entering their email address into the search bar," Fowler wrote in his report. 

"This could explain how so many email addresses ended up in a database of product searches that was not intended to identify the visitor."

Email addresses can be used to track people

As the database was available to Fowler and his fellow researchers for only a short period of time, they couldn't see how many email addresses in total were exposed.

Because many of those email addresses contained part or most of a person's name, it would have been possible to match those email addresses to user IDs and then see what those individuals searched for and purchased on the CVS websites. No credit cards or other financial information was included in the database.

Spammers and scammers could also have used those email addresses to target people, although it's not clear how long the database was left unprotected online or whether anyone stole data from it. 

Fowler and his colleagues from the WebsitePlanet research team notified CVS parent company CVS Health on March 21, the day they found the database, and CVS Health locked down the database the same day.

CVS Health told Fowler the database was run by an unnamed third-party vendor.

"We were able to reach out to our vendor and they took immediate action to remove the database," Fowler quotes CVS Health as stating. "Protecting the private information of our customers and our company is a high priority, and it is important to note that the database did not contain any personal information of our customers, members or patients."

CVS is much more than just drugstores

CVS is a lot more than just the retail drugstores that started in New England and have spread across the United States in the past couple of decades. The parent company, CVS Health, also owns and operated the CVS Caremark prescription-drug management company, which your own company may use to fulfill prescriptions under its health plan.

If that's not big enough, CVS Health also bought the 200-year-old insurance giant Aetna in 2018. The company now ranks fourth in the Fortune 500 list of the largest American companies by revenue, right after Walmart, Amazon and Apple. 

However, it seems like this data leak wasn't CVS Health's fault, as Fowler said in his blog post.

"Only human error can be blamed for both the misconfiguration that publicly exposed the database and website visitors who entered their own email addresses in the search bar," Fowler wrote. 

"We are not implying any wrongdoing by CVS Health, their contractors, or vendors. We are also not implying that customers, members, patients or website visitors were at risk. The theories expressed here are based on hypothetical possibilities of how this data could be used."

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.