is incredibly insecure, according to experts


The website is incredibly insecure, so much so that a white hat hacker was able to find its records of 70,000 people through an advanced Google search.

The hacker is David Kennedy, who also started TrustedSec, which is a security firm, and he has been warning people and the government about the insecurity of the website for a while now. He even testified about it in November to a Congressional committee.

“I don’t understand how we’re still discussing whether the website is insecure or not. It is; there’s no question about that. It is insecure – 100 percent,” he said, and added in blog post earlier that “out of the issues identified last go around, there has been a half of a vulnerability closed out of the 17 previously disclosed and since my last appearance, other security researchers have also identified an additional 20+ exposures on the site.”


Kennedy said that he was able to access the records of 70,000 people, in only a few minutes, through a Google search, and that while he had stopped at 70,000, he could have gone higher. “70,000 was just one of the numbers that I was able to go up to. And I stopped after that. You know, and I’m sure it’s hundreds of thousands, if not more and it was done within about a four-minute time frame. So, it’s just wide open. You can literally just open up your browser, go to this and extract all this information without actually having to hack the website itself,” he said to Fox News Sunday.

Kennedy isn’t alone in his analysis of the website. Other elite white hackers such as Chris Nickerson, Kevin Mitnick, Ed Skoudis, John Strand and more have have signed statements to that effect. Kennedy also added that “everything that we’ve seen from the website is a symptomatic problem of a much larger issue of how they code the website so I’d be very concerned with using it.”

[via The Verge, Computer World, image via Marjan Krebelj’s flickr]

Related Posts

  • Bub

    I can’t find in any reports specifics of what information was leaked in those 70,000 records. It could be anywhere from innocuous anonymized data to serious stuff like social security numbers. Without that information, I don’t know how to interpret the severity of this report.

    Apart from that, though, I do suspect that the site is highly vulnerable.

    On a related note, I helped a friend sign up for one of the new health plans directly through the insurance company (Medical Mutual), rather than through the site. Our intention was to avoid putting her information into the potentially insecure site.

    We did find advantages to signing up this way. The insurer actually offered lower rates when not going through the government site, and they offered a “platinum” level plan that wasn’t available on the site. On the down side, if you qualify for subsidies, then enrolling directly with the insurer means that you can’t take the subsidy as a reduction in your monthly rates, but rather as a year-end tax credit.

    But what about the hoped-for security benefits? I can attest that we had nothing to worry about from an insecure enrollment website, because the insurer had no enrollment website at all. Their enrollment process consisted of emailing us a PDF of their form, us filling out the form, scanning it, and emailing it back to them. That’s right, they required that the completed form, including SSN (and credit card # or checking account #, if you used those payment options) be sent in plain, unencrypted email. That made me feel a lot more secure!

    Perhaps this was only Medical Mutual, and other insurers are able to do something a little more secure than that. I certainly hope so.

  • Seamus McSeamus

    Step away from the Kool-Aid!

  • kevbo

    But it’s for our own good, we’ll all be better off.

    We should be grateful to have such a generous and selfless government that puts the welfare of the people above all else.

    Oh wait, scratch that. I was thinking of North Korea, or maybe it was Cuba.

    Now where did I put that Kool-Aid.