Webmaster forum database exposed data of 800,000 users

A database belonging to Digital Point exposed user email addresses, names, and more.
Written by Charlie Osborne, Contributing Writer

A database belonging to the Digital Point webmaster forum leaked the records of over 800,000 users. 

San Diego, California-based Digital Point describes itself as the "largest webmaster community in the world," bringing together freelancers, marketers, coders, and other creative professionals. 

On July 1, the WebsitePlanet research team and cybersecurity researcher Jeremiah Fowler uncovered an unsecured Elasticsearch database containing over 62 million records. In total, data belonging to 863,412 Digital Point users was included in the leak. 

See also: Intel investigating breach after 20GB of internal documents leak online

According to the team, names, email addresses, and internal user ID numbers were made publicly available. 

In addition, internal records and user post details were stored in the open database. While examining the database to find out who the owner was, the researchers stumbled across sets of data relating to forum members who flagged posts and the reasons behind these reports -- including allegations of "bad business dealings," spam, and other reasons, some described as appearing to be "petty and personal."


Aside from the usual security ramifications of user data theft and phishing, the database could have become one of many to succumb to Meow Bot, an automated script that was responsible for the compromise of thousands of unsecured MongoDB and Elasticsearch databases in July. Once the script has been deployed, it overrides data with numbers and the word "meow."

CNET: Online-voting company pushes to make it harder for researchers to find security flaws

"One of the dangers of a non-password protected database is that it is a sitting target waiting to be stolen, encrypted, or deleted," the team says. 

Fowler sent a responsible disclosure notice to Digital Point on July 1, the same day the leak was discovered, by way of a suitable email address found within the database. The alert was taken seriously and access to the database was revoked within hours. 

However, the forum did not communicate with the researchers or respond to follow-up requests. 

TechRepublic: Apple will release iOS 14 without this privacy feature: What iPhone users and developers need to know

ZDNet has reached out to Digital Point and will update when we hear back. 

The biggest hacks, data breaches of 2020 (so far)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards