DreamHost, a Los Angeles-based web hosting company sustained an unprotected database that was publicly accessible online, which hosted 814 million records including customer data.
On 16th April 2021 security researcher Jeremiah Fowler together with the Website Planet research team discovered a non-password-protected database that contained just under one billion records. The exposed records revealed usernames, display names, and emails for WordPress accounts. The monitoring and file logs exposed many internal records that should not have been publicly accessible. They were structured as roles, ID, display name, email, and other account-related information.
DreamPress is DreamHost’s managed WordPress hosting. It’s a scalable service that allows users to manage their WordPress sites.
According to Website Planet, the logs contained 3 years of records that ranged from 3/24/2018 to 4/16/2021, and each log includes information about WordPress accounts hosted or installed on DreamHost’s server and their users.
Website Planet team immediately sent a disclosure to DreamHost about the exposed database, and within hours the database was secured. DreamHost thanked the Website Planet team for raising awareness of the data exposure and notified them that they are now investigating the exposure.
Here is what Website Planet’s team discovered that included the following:
- Total Size: 86.15 GB / Total Records: 814,709,344
- The records exposed: Admin and user information for what appears to be DreamPress accounts for WordPress installations. These include WordPress login location URL, first and last names, email addresses, usernames, roles (admin, editor, registered user, etc).
- Email addresses of internal and external users that could be targeted in phishing attacks or other social engineering scams.
- The database was at risk of a ransomware attack due to the configuration settings that allowed public access.
- Were also exposed: Host IP addresses and timestamps, build and version information that could allow for a secondary path for malware. Plugin and theme details including configuration or security information that could potentially allow cybercriminals to exploit or gain access deeper into the network.
The record in question contained information on the themes and plugins that were used on the website. In a blog post, Website planet added that “Hypothetically, this dataset could have been searched using nothing more than an internet browser and a simple query command to identify outdated plugins, themes, or versions that have not installed patches for security issues. We are not implying that DreamHost did not provide the latest versions on the WordPress installations, but only highlighting the risks of running the latest versions of all software, addons, and security patches.”
In the sample 10K records, the team was able to identify accounts that were associated with .gov and .edu domain names. “The sampling of .gov search query returned results for a range of local and federal agencies including The United States Geological Survey, The General Services Administration, National Park Service, and even london.gov.uk. We are not implying that these websites were built on the DreamPress platform, only that these emails could potentially be users, admins, or registered users, and their emails were logged and stored.”
It is unclear how long the database was publicly exposed for and or who may have gained access to it. Thanks to Jeremiah Fowler and Website Planet that millions of potential customer’s records were driven back into the safe box.