- Total Size: 86.15 GB / Total Records: 814,709,344
- The records exposed: Admin and user information for what appears to be DreamPress accounts for WordPress installations. These include WordPress login location URL, first and last names, email addresses, usernames, roles (admin, editor, registered user, etc).
- Email addresses of internal and external users that could be targeted in phishing attacks or other social engineering scams.
- The database was at risk of a ransomware attack due to the configuration settings that allowed public access.
- Were also exposed: Host IP addresses and timestamps, build and version information that could allow for a secondary path for malware. Plugin and theme details including configuration or security information that could potentially allow cyber criminals to exploit or gain access deeper into the network.
One of the Biggest Website Hosting Providers, DreamHost, Leaked 814 Million Records Online Including Customer Data
A database owned by DreamHost, DreamPress managed WordPress hosting, was publically accessible online. 3 Years of DreamPress Customer and User Data Exposed Online On April 16th, 2021 security researcher Jeremiah Fowler together with the Website Planet research team discovered a non-password protected database that contained just under one billion records. The exposed records revealed usernames, display names, and emails for WordPress accounts. The monitoring and file logs exposed many internal records that should not have been publicly accessible. They were structured as roles, ID, display name, email, and other account related information. Upon further research there were multiple references to DreamHost. The well known hosting provider to over 1.5 million websites also offers a simple solution to install the popular blog platform WordPress called DreamPress. According to their website: DreamPress is DreamHost’s managed WordPress hosting. It’s a scalable service that allows users to manage their WordPress sites. The exposed log files contained what appears to be 3 years of records that range from 3/24/2018 to 4/16/2021 and each contained information about WordPress accounts hosted or installed on DreamHost’s server and their users. We immediately sent a responsible disclosure to DreamHost and the database was secured within hours. We received a reply thanking us for the notification and for raising awareness to the data exposure and were told they were investigating the exposure. On May 4th a DreamHost representative acknowledged the discovery and informed us that the finding was being passed on to their legal team. Here is what we have discovered that included the following: