1. WebsitePlanet
  2. >
  3. Blog
  4. >
  5. One of the Biggest Website Hosting Providers, DreamHost, Leaked 814 Million Records Online Including Customer Data

One of the Biggest Website Hosting Providers, DreamHost, Leaked 814 Million Records Online Including Customer Data

Jeremiah Fowler Jeremiah Fowler

A database owned by DreamHost, DreamPress managed WordPress hosting, was publically accessible online.  

3 Years of DreamPress Customer and User Data Exposed Online

On April 16th, 2021 security researcher Jeremiah Fowler together with the Website Planet research team discovered a non-password protected database that contained just under one billion records. The exposed records revealed usernames, display names, and emails for WordPress accounts. The monitoring and file logs exposed many internal records that should not have been publicly accessible. They were structured as roles, ID, display name, email, and other account related information.

Upon further research there were multiple references to DreamHost. The well known hosting provider to over 1.5 million websites also offers a simple solution to install the popular blog platform WordPress called DreamPress. According to their website: DreamPress is DreamHost’s managed WordPress hosting. It’s a scalable service that allows users to manage their WordPress sites.

The exposed log files contained what appears to be 3 years of records that range from 3/24/2018 to 4/16/2021 and each contained information about WordPress accounts hosted or installed on DreamHost’s server and their users. We immediately sent a responsible disclosure to DreamHost and the database was secured within hours. We received a reply thanking us for the notification and for raising awareness to the data exposure and were told they were investigating the exposure. On May 4th a DreamHost representative acknowledged the discovery and informed us that the finding was being passed on to their legal team.

Here is what we have discovered that included the following:

  • Total Size: 86.15 GB / Total Records: 814,709,344
  • The records exposed: Admin and user information for what appears to be DreamPress accounts for WordPress installations. These include WordPress login location URL, first and last names, email addresses, usernames, roles (admin, editor, registered user, etc).
  • Email addresses of internal and external users that could be targeted in phishing attacks or other social engineering scams.
  • The database was at risk of a ransomware attack due to the configuration settings that allowed public access.
  • Were also exposed: Host IP addresses and timestamps, build and version information that could allow for a secondary path for malware. Plugin and theme details including configuration or security information that could potentially allow cyber criminals to exploit or gain access deeper into the network.

dreamhost_report

How the exposed records looked

dreamhost_report

A Deeper Look

The records contained information such as what themes and plugins were being used. It is well known that websites running outdated versions of WordPress, plugins and themes have an increased risk of vulnerabilities that could be exploited. Hypothetically, this dataset could have been searched using nothing more than an internet browser and a simple query command to identify outdated plugins, themes, or versions that have not installed patches for security issues. We are not implying that DreamHost did not provide the latest versions on the WordPress installations, but only highlighting the risks of running the latest versions of all software, addons, and security patches.

In a sampling of 10k records we were able to identify email addresses associated with the WordPress accounts for a wide range of domain extensions including .gov and .edu. The sampling of .gov search query returned results for a range of local and federal agencies including The United States Geological Survey, The General Services Administration, National Park Service, and even london.gov.uk. We are not implying that these websites were built on the DreamPress platform, only that these emails could potentially be users, admins or registered users and their emails were logged and stored.

dreamhost_report

dreamhost_report

The danger of these emails being exposed would be for cyber criminals to launch a targeted attack based on the domain, account, or other information that only the hosting provider or website admin would know. We saw records that listed how many administrative accounts or users were associated and listed them all with timestamps of when they were added. DreamHost has a good reputation of protecting their customers from domain hijacking or domain theft and offers domain privacy for free. This exposure appears to contain only information connected to their DreamPress managed WordPress users and not their hosting or domain customers.

The logs also included records of “actions” such as domain registrations and renewals. This could potentially give an estimated timeline of when the next payment was due and the bad guys could try to spoof an invoice or create a man in the middle attack where a cyber criminal could manipulate the customer using social engineering techniques to provide billing or payment information to renew the hosting or domain registration. Once the cyber criminal has access to payment information the greater the possibility and risk of how the information could be used.

Most cyber crimes are for financial gain and it is estimated that these crimes will cost as much as $10.5 trillion annually by 2025 and that 98% of cyber attacks arise from some form of social engineering. This leak, if found by unethical actors, could have provided enough information for cyber criminals to target customers with a social engineering attack or try to gain access to the accounts. We are not implying that DreamHost’s customers or users were at risk but only highlighting how this information could potentially be used to raise awareness of the cyber security implications.

The way the records were structured they identified the URL or website domain name and the user’s role such as: admin, editor, subscriber, etc. This information would provide a clear picture of the hierarchy and who may be the best potential phishing or social engineering target based on their roles. The danger of having even partial administrative credentials exposed is that it removes half of the work required to access an account. Once a cyber criminal has the username, email address, and location of the WordPress admin dashboard, the only thing left is to get the password. Social Engineering is the easiest way to build a position of trust and try multiple methods to trick the victim to provide their password.

It is unclear how long the database was publicly exposed or who else may have gained access to these records. It is also unknown if DreamHost’s DreamPress users were notified of the exposure. This appears to be the first security incident affecting Dreamhost in nearly a decade. In November 2012 a PasteBin user posted a dump of server information that appeared to belong to DreamHost. That data contained basic server information, subdomains, usernames and passwords, and FTP server information. According to Wikipedia DreamHost is a Los Angeles-based web hosting provider and domain name registrar. It is owned by New Dream Network, LLC, founded in 1996.

Rate this Article
4.8 Voted by 9 users
You already voted! Undo
This field is required Maximal length of comment is equal 80000 chars Minimal length of comment is equal 10 chars

Any comments?

Reply to review
View %s replies
View %s reply

Related posts

Show more related posts

We check all user comments within 48 hours to make sure they are from real people like you. We're glad you found this article useful - we would appreciate it if you let more people know about it.

Share this blog post with friends and co-workers right now:

We check all comments within 48 hours to make sure they're from real users like you.

Once a month you will receive interesting, insightful tips, tricks, and advice to improve your website performance and reach your digital marketing goals!

So happy you liked it!

Share it with your friends!

2068720
100
5000
44087186