The Website Planet research team, in cooperation with security researcher Jeremiah Fowler, discovered a non-password protected database that contained just under one billion records. The exposed records revealed usernames, display names, and emails for WordPress accounts.

The monitoring and file logs exposed many internal records that should not have been publicly accessible. They were structured as roles, ID, display name, email, and other account related information. The exposed log files contained what appears to be three years of records that range from 3/24/2018 to 4/16/2021 and each contained information about WordPress accounts hosted or installed on DreamHost’s server and their users. 

Kevin Dunne, President at Pathlock, a Flemington, New Jersey-based provider of unified access orchestration, says, "The recent DreamHost leak highlights an important threat vector that exists in today's landscape - third party hosting providers. As companies look to increase efficiency and enable remote work, they are frequently moving in-house hosted solutions (websites, ERP's, databases, etc.) to these publicly available providers. Given the concentration of customer data, these hosting services are becoming a ripe target for bad actors, especially ransomware attackers who are looking to businesses that rely on availability, security, and customer satisfaction. Customers need to ensure that they do their due diligence before trusting a hosting provider with their business-critical data, as a breach for the hosting provider often means a breach for the customer, and triggers notification and remediation incurring cost and lost revenue."

According to Website Planet researchers, email addresses of internal and external users could have been targeted in phishing attacks or other social engineering scams. The database was also at risk of a ransomware attack due to configuration settings that allowed public access. Host IP addresses and timestamps, build and version information could have allowed for a secondary path for malware. Plugin and theme details including configuration or security information could have potentially allow cybercriminals to exploit or gain access deeper into the network.

Upon discovery of the unsecured database, the Website Planet team sent a disclosure to DreamHost and the database was secured within hours. On May 4th, a DreamHost representative acknowledged the discovery and informed Website Planet that the finding was being passed on to their legal team.

Dirk Schrader, Global Vice President, Security Research at New Net Technologies (NNT), a Naples, Fla.-based provider of cybersecurity and compliance software, explains, "Usually one would expect a hosting provider to know what needs to be done, to be able to protect its customer and its hosting environment. They should also know that whatever you connect to the public internet will be discovered. DreamHost itself seems to be agnostic about the incident, there’s no mention of the incident on its website or Twitter account, yet. The exposed data is a valuable trove for any attacker, as they can do tons of things here, like taking control of a huge number of webspace to install cryptominers. On the DreamHost side, this an utter lack of doing the essentials in cybersecurity, as they missed to check their exposure, to control any changes in settings and files, just to name a few."

Sean Nikkel, Senior Cyber Threat Intel Analyst at Digital Shadows, a San Francisco-based provider of digital risk protection solutions, says, "Organizations and individuals should keep a close eye on exposed user accounts to guard against increases in social engineering attacks attempting to obtain passwords and further login details. For organizations hosting this level of detailed information, databases need to be highly secured, audited for access, and checked for vulnerabilities and public exposure; otherwise, these types of data loss incidents will continue."

For the full report, please visit https://www.websiteplanet.com/blog/dreampress-leak-report/