A database owned by US-based web host DreamHost was found unsecured and publicly accessible, leaving 814,709,344 records in total exposed, cybersecurity researcher Jeremiah Fowler disclosed in a post on Website Planet, a site for web developers, on Thursday, June 24.

Fowler said he and the Website Planet team on discovered the unsecured database on April 16.

There appeared to be three years worth of records in the unsecured database, ranging from March 24, 2018 to April 16, 2021.

The database had information on DreamHost users as well as information on WordPress accounts hosted or installed on DreamHost’s server. 

According to Fowler’s disclosure, the 86.15 GB of data on the database had the following exposed records:

• Admin and user information for what appears to be DreamPress accounts for WordPress installations. These include WordPress login location URL, first and last names, email addresses, usernames, roles (admin, editor, registered user, etc).
• Email addresses of internal and external users which could potentially be targeted in phishing attacks or social engineering scam attempts.

The following were also exposed:

• Host IP addresses and timestamps as well as build and version information which could allow for a secondary path for malware.
• Plugin and theme details – including configuration or security information. These could potentially allow cyber criminals to exploit or gain access deeper into the network.

The report also said the database was “at risk of a ransomware attack due to the configuration settings that allowed public access.”

Responsible disclosure

DreamHost and the database were secured within hours of a responsible disclosure made by Fowler and the Website Planet team in May.

A DreamHost representative acknowledged the discovery on May 4, and said that the finding was being passed on to their legal team.

The report, however, added it was “unclear how long the database was publicly exposed or who else may have gained access to these records. It is also unknown if DreamHost’s DreamPress users were notified of the exposure.”

In a Forbes report, DreamHost claimed the data only contained “performance metrics of a small number of our customers’ sites.”

A DreamHost spokesperson added, “It was available for approximately 12 hours before being removed. During this time we believe this database was accessed by a single internet user – a security researcher who had been scanning our IP space. He alerted us to the finding as we were already in the process of taking it down.”

“This database did not contain personally identifying information of DreamHost customers as defined by a variety of statutes in jurisdictions in which we operate, nor did it contain any user passwords (encrypted or otherwise),” the spokesperson added.

Fowler meanwhile said first and last names, as well as some middle initials, were within the user and admin account names.

That, he said, provided “a clear connection to a real person, their email, and what websites they own or subscribe to.”

In relation to DreamHost’s claim the issue only affected a small number of its customers’ sites, Fowler said, “In a random sampling of 10,000 records we conducted search queries for domain extensions and can validate the following: .com appeared 99,078 times, .org 11,544, .net 11,054, and .us 454. This was a small sampling of the total 814,709,344 records. So to say this was a small number of domains may not be fully accurate.” – Rappler.com