A database owned by DreamHost, DreamPress managed WordPress hosting, was publically accessible online.
3 Years of DreamPress Customer and User Data Exposed Online
On April 16th, 2021 security researcher Jeremiah Fowler together with the Website Planet research team discovered a non-password protected database that contained just under one billion records. The exposed records revealed usernames, display names, and emails for WordPress accounts. The monitoring and file logs exposed many internal records that should not have been publicly accessible. They were structured as roles, ID, display name, email, and other account related information.
Upon further research there were multiple references to DreamHost. The well known hosting provider to over 1.5 million websites also offers a simple solution to install the popular blog platform WordPress called DreamPress. According to their website: DreamPress is DreamHost’s managed WordPress hosting. It’s a scalable service that allows users to manage their WordPress sites.
The exposed log files contained what appears to be 3 years of records that range from 3/24/2018 to 4/16/2021 and each contained information about WordPress accounts hosted or installed on DreamHost’s server and their users. We immediately sent a responsible disclosure to DreamHost and the database was secured within hours. We received a reply thanking us for the notification and for raising awareness to the data exposure and were told they were investigating the exposure. On May 4th a DreamHost representative acknowledged the discovery and informed us that the finding was being passed on to their legal team.
Here is what we have discovered that included the following:
- Total Size: 86.15 GB / Total Records: 814,709,344
- The records exposed: Admin and user information for what appears to be DreamPress accounts for WordPress installations. These include WordPress login location URL, first and last names, email addresses, usernames, roles (admin, editor, registered user, etc).
- Email addresses of internal and external users that could be targeted in phishing attacks or other social engineering scams.
- The database was at risk of a ransomware attack due to the configuration settings that allowed public access.
- Were also exposed: Host IP addresses and timestamps, build and version information that could allow for a secondary path for malware. Plugin and theme details including configuration or security information that could potentially allow cyber criminals to exploit or gain access deeper into the network.
How the exposed records looked
A Deeper Look
The records contained information such as what themes and plugins were being used. It is well known that websites running outdated versions of WordPress, plugins and themes have an increased risk of vulnerabilities that could be exploited. Hypothetically, this dataset could have been searched using nothing more than an internet browser and a simple query command to identify outdated plugins, themes, or versions that have not installed patches for security issues. We are not implying that DreamHost did not provide the latest versions on the WordPress installations, but only highlighting the risks of running the latest versions of all software, addons, and security patches.
In a sampling of 10k records we were able to identify email addresses associated with the WordPress accounts for a wide range of domain extensions including .gov and .edu. The sampling of .gov search query returned results for a range of local and federal agencies including The United States Geological Survey, The General Services Administration, National Park Service, and even london.gov.uk. We are not implying that these websites were built on the DreamPress platform, only that these emails could potentially be users, admins or registered users and their emails were logged and stored.
The danger of these emails being exposed would be for cyber criminals to launch a targeted attack based on the domain, account, or other information that only the hosting provider or website admin would know. We saw records that listed how many administrative accounts or users were associated and listed them all with timestamps of when they were added. DreamHost has a good reputation of protecting their customers from domain hijacking or domain theft and offers domain privacy for free. This exposure appears to contain only information connected to their DreamPress managed WordPress users and not their hosting or domain customers.
The logs also included records of “actions” such as domain registrations and renewals. This could potentially give an estimated timeline of when the next payment was due and the bad guys could try to spoof an invoice or create a man in the middle attack where a cyber criminal could manipulate the customer using social engineering techniques to provide billing or payment information to renew the hosting or domain registration. Once the cyber criminal has access to payment information the greater the possibility and risk of how the information could be used.
Most cyber crimes are for financial gain and it is estimated that these crimes will cost as much as $10.5 trillion annually by 2025 and that 98% of cyber attacks arise from some form of social engineering. This leak, if found by unethical actors, could have provided enough information for cyber criminals to target customers with a social engineering attack or try to gain access to the accounts. We are not implying that DreamHost’s customers or users were at risk but only highlighting how this information could potentially be used to raise awareness of the cyber security implications.
The way the records were structured they identified the URL or website domain name and the user’s role such as: admin, editor, subscriber, etc. This information would provide a clear picture of the hierarchy and who may be the best potential phishing or social engineering target based on their roles. The danger of having even partial administrative credentials exposed is that it removes half of the work required to access an account. Once a cyber criminal has the username, email address, and location of the WordPress admin dashboard, the only thing left is to get the password. Social Engineering is the easiest way to build a position of trust and try multiple methods to trick the victim to provide their password.
It is unclear how long the database was publicly exposed or who else may have gained access to these records. It is also unknown if DreamHost’s DreamPress users were notified of the exposure. This appears to be the first security incident affecting Dreamhost in nearly a decade. In November 2012 a PasteBin user posted a dump of server information that appeared to belong to DreamHost. That data contained basic server information, subdomains, usernames and passwords, and FTP server information. According to Wikipedia DreamHost is a Los Angeles-based web hosting provider and domain name registrar. It is owned by New Dream Network, LLC, founded in 1996.