Hosting Provider Exposed 63 Million Records and User Passwords

Jeremiah Fowler

Jeremiah Fowler

Director of Security Research and Senior Communications Consultant

2 minutes read
Hosting Provider Exposed 63 Million Records and User Passwords - Security Discovery

On October 5th I discovered a non-password protected database that contained a large amount of monitoring and system logs. There were records indicating data backups, monitoring, error logging, and more. Upon further research, the database appeared to belong to the Texas-based cloud application hosting provider, Cloud Clusters Inc. According to their website, they have 4 data center locations that include: Bend, Oregon, Charlotte, North Carolina, Denver, Colorado, and Dallas, Texas.

I immediately sent a responsible disclosure notice of my findings. Public access was restricted shortly after my notice. No one replied to my first messages and after a second follow-up email on October 13th I received an acknowledgment of my notification that said “Thanks for pointing out the problems to enhance website security. We also take data security very seriously.” It is unclear if Cloud Clusters Inc had notified customers or authorities regarding the exposure.

I saw user/password credentials for Magento, WordPress accounts, and MySql. Magento is an eCommerce platform used to sell products or services and WordPress is a website management system written in PHP. An exposure of login details could have potentially put these accounts and shoppers at risk. Cloud Clusters Inc’s customers could have been targeted by social engineering or spear phishing attempts using the exposed emails and credentials.

It is unclear how long these records were exposed or who else may have had access to this data. As a security researcher, I never circumvent or bypass password protected assets. These records were publicly accessible and no hacking necessary to see 63.7 million records. If a cyber criminal had access to this information it could potentially compromise those sites and eCommerce accounts. I am not implying that customers or visitors to these sites were at risk only raising awareness of what was exposed to anyone with an internet connection. After any security breach, all administrative credentials should be changed immediately including customer passwords or details that were captured in monitoring logs.

My full summary of the discovery was published on Secure Thoughts.

← Back to Blog

Got your attention?

Stay ahead of cyber threats with Security Discovery. We offer expert consulting, comprehensive services, and a powerful vulnerability monitoring SaaS platform. Protect your business proactively - get in touch today for personalized digital security solutions.

Business Development
Virginia, United States
Research & Development
Kyiv, Ukraine
Technical HQ
Hamburg, Germany