This is the first time I've posted to this site, so if this question belongs somewhere else please let me know. I recently was using an online service which I will not name, and I realized that there were some pages on the site containing a lot of personally identifying information including my social security number, address, name, date of birth, etc., and that these pages do not require my account credentials to access as long as the URL is known. There are on the order of 20 alpha-numeric characters in relevant portion of the URL, so it seems unlikely someone will just stumble across this page, but this still seems like a bad practice to me. (Further, it is not clear to me that the character string is random; it might have some structure to it that could be used to find similar pages of other users.)
Should this be concerning to me, or is this normal? If it should be concerning, what type of action can I take to deal with it?