The world’s largest webmaster form has been found wanting in terms of its cybersecurity posture after researchers discovered an unprotected database leaking data on nearly 900,000 users.
Digital Point provides a platform for members to chat and buy and sell websites, domains and digital services.
Back in July, researchers at WebsitePlanet teamed up with Jeremiah Fowler to discover an Elasticsearch database belonging to Digital Planet that was left online without password protection, exposing nearly 63 million records.
These included emails, names, internal user ID numbers, internal records and user posts related to 863,412 users of the site.
Fowler warned that an attacker without administrative credentials could have edited, downloaded or even deleted this data.
The latter threat is particularly real given the recent spate of “Meow” bot attacks on exposed databases. An attacker could also look to steal the data before deleting it and holding it to ransom.
Another particular threat from exposure of this kind of data is domain hijacking, Fowler warned.
“Having the contact information, email and other details could allow a cyber-criminal to use acquired personal information about the actual domain owner to impersonate them,” he explained.
“Domain hijacking is exactly what it sounds like and criminals could try to change the registration information and ownership details. This type of theft would allow the domain hijacker to gain full control of the website name and can use the domain for their own purposes or try to sell it to a third party.”
Fowler described the dataset as a “treasure chest of information” for would-be domain hijackers.
“Many of the email accounts were admin@ or similar. Having a domain stolen can destroy a business or an organization and there is no guarantee that you will get it returned,” he continued.
“Anyone who has ever lost a domain name will tell you that dealing with lawyers, court costs and losing the trust of your clients would be devastating.”