A misconfigured cloud database uncovered over 800 million information linked to WordPress customers earlier than its proprietor was notified, in line with Website Planet.
The 814 million information he discovered had been traced again to the agency’s managed WordPress internet hosting enterprise DreamPress and appeared up to now again to 2018.
Within the 86GB database, there was purportedly admin and consumer data, together with WordPress login location URLs, first and final names, electronic mail addresses, usernames, roles, host IP addresses, timestamps, and configuration and safety data.
A few of the leaked data was linked to customers with .gov and .edu electronic mail addresses, Fowler claimed.
Fortuitously, the database was safe inside hours of DreamHost receiving a accountable disclosure discover from Fowler.
Nevertheless, the researcher stated it was unclear how lengthy it had been uncovered, probably placing customers liable to phishing. Risk actors scanning for uncovered databases like this have prior to now additionally stolen and ransomed the information contained inside.
Fowler additionally pointed to the database’s document of “actions” akin to area registrations and renewals.
“These might probably give an estimated timeline of when the following fee was due and the unhealthy guys might attempt to spoof an bill or create a man-in-the-middle assault,” he argued. “Right here, a cyber-criminal might manipulate the client utilizing social engineering methods to supply billing or fee data to resume the internet hosting or area registration.”
The complexity of recent cloud environments makes misconfigurations of this sort more and more frequent.
Simply final week, Fowler revealed an unprotected database containing one billion information belonging to CVS Well being.