Openprovider, a Netherlands-based domain registrar, has inadvertently leaked over 100GB of sensitive customer and internal data, including domain transfer authentication codes.
-
An exposed Elasticsearch server contained around 164GB of data and was accessible for three months.
-
The exposed data included domain transfer codes, risking domain hijacking.
-
Openprovider fixed the misconfiguration.
On April 6th, 2025, Bob Diachenko, a cybersecurity researcher and owner at SecurityDiscovery.com, together with the Cybernews research team, discovered a publicly exposed Elasticsearch instance containing extensive data of Openprovider users and internal operations.
Elasticsearch is a platform for data analytics and search in near real-time.
The exposed server contained logs detailing domain registration data, customer actions, internal response payloads, and even domain transfer authentication codes (authCode). These codes act like passwords for transferring domains, and attackers could abuse them to hijack website addresses.
“Notably, the exposure included sensitive metadata such as usernames, reseller IDs, WHOIS privacy status, and raw domain provisioning records,” Diachenko said.
The records include registrants’ names, addresses, phone numbers, and email addresses, even if they paid for domain privacy services, which redact this info from public WHOIS records.
The researchers immediately notified the company about the leaking data. Openprovider acknowledged the issue and secured the server the next day, on April 7th, 2025. The company later clarified that the data had been left accessible to anyone for three months.
Openprovider is a Netherlands-based ICANN-accredited domain registrar. The technology company offers domain registration, web hosting, and cloud services, primarily targeting resellers and businesses. The company manages several million domains, as its extensive infrastructure is used by thousands of domain resellers, web hosting providers, agencies, and other large clients.
The company operates globally and has a strong presence in European markets.
Openprovider confirmed plans to notify affected customers and strengthen internal processes. Cybernews reached out for additional comments about this incident, but did not receive a response before publishing this article.
In the hands of hackers, the leak could’ve been devastating
The leaking Elasticsearch contained around a dozen indices with around 164GB of data.
“This leak, if bad actors got their hands on it, could’ve become one of the largest cyberattacks in history, as malicious actors could have been able to redirect millions of domains from trusted and popular websites to their malicious websites,” Cybernews researchers said.
The largest of them likely holds historical domain registration data, including customer information and domain details. Other indices contained notifications sent to customers, potentially exposing sensitive communications.
“The most sensitive fields in the leaked Logs of domain registration activity and metadata are domain names combined with the registration auth codes, billing/tech/admin handles, usernames, and account identifiers,” our researchers explained.
While this data is not the conventional personally identifiable information, like credit card details or passwords, the exposure of domain registration logs poses very serious operational risks.”
Hackers could abuse domain transfer authentication codes, or auth codes, to initiate unauthorized domain transfers if other safeguards weren’t in place.
Cybercriminals could also exploit leaked registrar handles and user identifiers in phishing or impersonation campaigns, targeting resellers or their clients.
Furthermore, attackers could analyze the details of how domain names were registered in sensitive sectors, such as financial services. System design details were also visible, offering insight into the backend architecture, such as response schema, internal task IDs, or batch operations.
“Unredacted domain registration records would be super useful for targeted cyberattacks. Hackers could identify websites belonging to the same developers, which usually means that the same vulnerabilities would exist across them,” the researchers explained.
Monitor your domains
Following the responsible disclosure, Openprovider explained that a misconfiguration led to the data exposure, and it has been fixed as part of their active incident response protocol.
Back in April, the company said it planned to inform affected customers via their next scheduled newsletter. While the company had already been using an external penetration testing service, it was also considering a new bug bounty program.
Cybernews also recommends that customers rotate their credentials, monitor accounts for any suspicious activity, and follow other guidance provided by the registrar.
“Watch out for phishing. If you used the company’s domain privacy services, be aware that your anonymity might be affected,” our researchers concluded.
- Leak discovered: April 6th, 2025
- Responsible disclosure: April 6th, 2025
- Leak closed: April 7th, 2025
Updated on June 20th [05:39 a.m. GMT]. The original version of the article incorrectly stated that Openprovider is part of another parent company. Openprovider is not affiliated with Team.blue
Your email address will not be published. Required fields are markedmarked