Metal padlock on laptop keyboard showing database leak of customer data

DreamHost Database Leak Exposed 815 Million Records of Customer Data

Jeremiah Fowler and Website Planet security researchers discovered an unsecured database containing close to 1 billion records from one of the world’s largest web hosts, DreamHost.

The exposed customer data was up to three years old, ranging from March 24, 2018 to April 16, 2021. It was unclear how long the database was publicly accessible.

The research team discovered the database leak on April 16, 2021 and immediately contacted DreamHost and the database was secured shortly after. The company acknowledged the data exposure on May 4, 2021, adding that the finding was being passed on to their legal team.

DreamHost database leak exposed WordPress user and configuration information

The database leak exposed 814,709,344 records containing admin and user information of WordPress accounts hosted or installed on DreamPress. The platform allows customers to manage their WordPress websites and scale easily.

The incident is the second breach to affect the Los Angeles-based web hosting services provider in a decade after a user dumped server information on PasteBin in 2021.

The DreamHost leak exposed customer data including WordPress login location URL, personally identifying information such as first and last names and email addresses, user accounts’ information such as usernames and roles e.g. admin, editor, registered user, among others.

Fowler noted that attackers could connect individuals to the websites they subscribed to using their email addresses.

A random sampling of 10,000 records from the exposed customer data discovered some .gov and .edu domains. According to the researchers, .com domains appeared 99,078 times, .org 11,544, .net 11,054, and .us 454 times.

A search query also returned the names of government agencies such as The United States Geological Survey, The General Services Administration, National Park Service, and london.gov.uk.

However, the researchers explained that admins or users could have registered on the affected websites using their work email.

The database leak also exposed host IP addresses, timestamps, build versions, plugin, and theme details, including configuration and security information. Various transactions such as domain registrations and renewals were also exposed in the database leak.

DreamHost database leak exposed customer data to potential ransomware attacks

Website Planet researchers noted that exposing configuration and security information could allow ransomware attackers to compromise the websites.

Exposing user emails also puts customers at risk of targeted phishing attacks and social engineering fraud using information only known to domain owners, users, or the hosting provider.

They could use this information to bill customers and demand payment for domains and subscriptions or request customers’ payment information. Similarly, the database leak exposed website operators to the risk of potential domain theft.

The user role information exposed could also allow attackers to identify individuals with administrative rights and target them. Hackers could possibly use the exposed configuration and security information to exploit various security flaws in outdated themes, plugins, and WordPress installations.

DreamHost, however, disputed that any malicious actors could use the exposed customer data to compromise user accounts. Moreover, the company claimed that the database leaked customer data of only 21 current and past website owners who were duly contacted.

Additionally, DreamHost blamed a firewall misconfiguration for the database leak adding that only a single hacker accessed the database during the period. However, the web hosting company admitted using a logging database to store test data for feature development without proper authentication.

“Misconfigurations continue to be a significant source of breaches both in the public cloud and private data centers,” said Saumitra Das, CTO and Cofounder, Blue Hexagon. “One key element of this breach is how it revealed the software stacks of the affected users and would allow the attackers to not just sell the data they stole but perform follow-on phishing or vishing attacks on those users based on this knowledge or even triangulate the hosted websites of those users and attempt to exploit them based in the software versions revealed in this breach.”

Das said every database leak increased the amount of usable information under hackers’ control.

“Breaches are becoming a chain with each piece of stolen data enriching information and techniques that attackers can use to further their aim. Each data breach adds to the knowledge graph of victims an attacker has, to allow them to choose the next easiest or most profitable step to take.”