A database owned by DreamHost, DreamPress managed WordPress hosting, was publically accessible online. 3 Years of DreamPress Customer and User Data Exposed Online
On April 16th, 2021 security researcher Jeremiah Fowler together with the Website Planet research team discovered a non-password protected database that contained just under one billion records. The exposed records revealed usernames, display names, and emails for WordPress accounts. The monitoring and file logs exposed many internal records that should not have been publicly accessible. They were structured as roles, ID, display name, email, and other account related information.
Upon further research there were multiple references to DreamHost. The well known hosting provider to over 1.5 million websites also offers a simple solution to install the popular blog platform WordPress called DreamPress. According to their website: DreamPress is DreamHost’s managed WordPress hosting. It’s a scalable service that allows users to manage their WordPress sites.
The exposed log files contained what appears to be 3 years of records that range from 3/24/2018 to 4/16/2021 and each contained information about WordPress accounts hosted or installed on DreamHost’s server and their users. We immediately sent a responsible disclosure to DreamHost and the database was secured within hours. We received a reply thanking us for the notification and for raising awareness to the data exposure and were told they were investigating the exposure. On May 4th a DreamHost representative acknowledged the discovery and informed us that the finding was being passed on to their legal team.
I received a reply from DreamHost’s security team stating: “This database was used primarily as a data warehouse for performance metrics as we worked to test improvements to our DreamPress platform. It contained a large amount of old data which we subsequently deleted in April after securing the database. The database was only publicly reachable for approximately 12 hours during a maintenance window. Logs confirm that you were the only external access. There were no additional attempts to access this data by any third parties. DreamHost also provided a more detailed account of the exposure on their blog.”Here is what we have discovered that included the following:
Total Size: 86.15 GB / Total Records: 814,709,344
The records exposed: Admin and user information for what appears to be DreamPress accounts for WordPress installations. These include WordPress login location URL, first and last names, email addresses, usernames, roles (admin, editor, registered user, etc).
Email addresses of internal and external users that could be targeted in phishing attacks or other social engineering scams.
The database was at risk of a ransomware attack due to the configuration settings that allowed public access.
Were also exposed: Host IP addresses and timestamps, build and version information that could allow for a secondary path for malware. Plugin and theme details including configuration or security information that could potentially allow cyber criminals to exploit or gain access deeper into the network.
How the exposed records looked
A Deeper Look
The records contained information such as what themes and plugins were being used. It is well known that websites running outdated versions of WordPress, plugins and themes have an increased risk of vulnerabilities that could be exploited. Hypothetically, this dataset could have been searched using nothing more than an internet browser and a simple query command to identify outdated plugins, themes, or versions that have not installed patches for security issues. We are not implying that DreamHost did not provide the latest versions on the WordPress installations, but only highlighting the risks of running the latest versions of all software, addons, and security patches.
In a sampling of 10k records we were able to identify email addresses associated with the WordPress accounts for a wide range of domain extensions including .gov and .edu. The sampling of .gov search query returned results for a range of local and federal agencies including The United States Geological Survey, The General Services Administration, National Park Service, and even london.gov.uk. We are not implying that these websites were built on the DreamPress platform, only that these emails could potentially be users, admins or registered users and their emails were logged and stored.
The danger of these emails being exposed would be for cyber criminals to launch a targeted attack based on the domain, account, or other information that only the hosting provider or website admin would know. We saw records that listed how many administrative accounts or users were associated and listed them all with timestamps of when they were added. DreamHost has a good reputation of protecting their customers from domain hijacking or domain theft and offers domain privacy for free. This exposure appears to contain only information connected to their DreamPress managed WordPress users and not their hosting or domain customers.
The logs within these brackets also contained records of “actions,” such as domain registrations and renewals. This information could potentially provide an estimated timeline for upcoming payments, allowing malicious actors to attempt invoice spoofing or execute a man-in-the-middle attack. In this scenario, a cybercriminal could manipulate the customer through social engineering techniques, coercing them into sharing billing or payment details to renew their hosting or domain registration. As soon as the cybercriminal gains access to payment information, the risk of potential misuse of this information significantly escalates.
Most cyber crimes are for financial gain and it is estimated that these crimes will cost as much as $10.5 trillion annually by 2025 and that 98% of cyber attacks arise from some form of social engineering. This leak, if found by unethical actors, could have provided enough information for cyber criminals to target customers with a social engineering attack or try to gain access to the accounts. We are not implying that DreamHost’s customers or users were at risk but only highlighting how this information could potentially be used to raise awareness of the cyber security implications.
The way the records were structured they identified the URL or website domain name and the user’s role such as: admin, editor, subscriber, etc. This information would provide a clear picture of the hierarchy and who may be the best potential phishing or social engineering target based on their roles. The danger of having even partial administrative credentials exposed is that it removes half of the work required to access an account. Once a cyber criminal has the username, email address, and location of the WordPress admin dashboard, the only thing left is to get the password. Social Engineering is the easiest way to build a position of trust and try multiple methods to trick the victim to provide their password.
It is unclear how long the database was publicly exposed or who else may have gained access to these records. It is also unknown if DreamHost’s DreamPress users were notified of the exposure. This appears to be the first security incident affecting Dreamhost in nearly a decade. In November 2012 a PasteBin user posted a dump of server information that appeared to belong to DreamHost. That data contained basic server information, subdomains, usernames and passwords, and FTP server information. According to Wikipedia DreamHost is a Los Angeles-based web hosting provider and domain name registrar. It is owned by New Dream Network, LLC, founded in 1996.
Jeremiah Fowler is a Security Researcher and co-founder of Security Discovery. Jeremiah began his career in security research in 2015 and has a mission of data protection. He has helped identify and secure the data of millions of people around the world. His discoveries have been covered in Forbes, BBC, Gizmodo, among others. Security and responsible disclosure are not only a passion, but a way of protecting our digital lives.
Thank you, - your comment was submitted successfully!
We check all user comments within 48 hours to make sure they are from real people like you. We're glad you found this article useful - we would appreciate it if you let more people know about it.
Share this blog post with friends and co-workers right now:
Thank you, , your comment was submitted successfully!
We check all comments within 48 hours to make sure they're from real users like you. In the meantime, you can share your comment with others to let more people know what you think.
Thank you for signing up!
Once a month you will receive interesting, insightful tips, tricks, and advice to improve your website performance and reach your digital marketing goals!
