Security researcher Jeremiah Fowler together with the Website Planet research team, discovered that a database owned by DreamHost, DreamPress managed WordPress hosting, was publically accessible online, On April 16th, 2021.
A non-password protected database
DreamPress is DreamHost’s managed WordPress hosting. This scalable service allows users to manage their WordPress sites. Around 814 million customer records had been leaked through this non-password-protected database. Fowler published a blogpost about leaked data, saying,
“The exposed log files contained what appears to be three years of records that range from 3/24/2018 to 4/16/2021 and each contained information about WordPress accounts hosted or installed on DreamHost’s server and their users. We immediately sent a responsible disclosure to DreamHost and the database was secured within hours. We received a reply thanking us for the notification and raising awareness of the data exposure and were told they were investigating the exposure. On May 4th, a DreamHost representative acknowledged the discovery and informed us that the finding was being passed on to their legal team.”
Fowler said in his blog post that the leaked data included admin and user information for DreamHost’s DreamPress WordPress hosting accounts, like login location, first and last names, email addresses, usernames, roles, host IP addresses, and timestamps. The total size of the exposed data was 86.15GB with 814,709,344 total records.