DreamHost Mistake Leaks 815 Million-Record Database Of Website Owner Data
A huge database belonging to one of the world’s largest web hosts, Los Angeles-based DreamHost, was left open online earlier this year, leaking names, usernames and email addresses of its customers, a cybersecurity researcher has warned.
The data, wrapped up in a database containing 815 million records, also included administrator and user information for DreamPress, DreamHost’s widely used service for Wordpress websites. The data appeared to date back at least three years to 2018, though it’s unclear how long the database was openly accessible. Combined, the data could have been used in attempts to break into users’ accounts, warned Jeremiah Fowler, an independent cybersecurity researcher who partnered with Website Planet, a website for web developers, to disclose the leak.
“All a criminal would have to do is send an email saying please update your password and send them to a cloned page and capture any password the victim would enter,” Fowler told Forbes. “Also domain theft is another dangerous issue and once a criminal has private information about the account they could try to steal the domain. This information should only be known by the registrar or hosting provider and the client, so to have this information leaked creates another challenge.”
Fowler disclosed the breach in May and DreamHost was quick to respond in taking it down from public view. DreamHost claimed the data only contained “performance metrics of a small number of our customers’ sites.” “It was available for approximately 12 hours before being removed,” a DreamHost spokesperson said. “During this time we believe this database was accessed by a single internet user - a security researcher who had been scanning our IP space. He alerted us to the finding as we were already in the process of taking it down.
“This database did not contain personally identifying information of DreamHost customers as defined by a variety of statutes in jurisdictions in which we operate, nor did it contain any user passwords (encrypted or otherwise).” After publication, DreamHost issued a post stating that the leaked data only linked to 21 websites.
Fowler said there were first and last names, as well as some middle initials, within the user and admin account names. That provided “a clear connection to a real person, their email, and what websites they own or subscribe to.” On DreamHost’s claim that a small number of websites were included in the breach, Fowler added: “In a random sampling of 10,000 records we conducted search queries for domain extensions and can validate the following: .com appeared 99,078 times, .org 11,544, .net 11,054, and .us 454. This was a small sampling of the total 814,709,344 records. So to say this was a small number of domains may not be fully accurate.”
The leak comes a week after Fowler revealed a similar-sized leak occurred at healthcare retail giant CVS. The company also acted swiftly to secure the database, though it was another incident in a long line of large businesses accidentally exposing customers’ information.