Openprovider Suffers Massive Data Leak: Elasticsearch Server Exposed 164GB of Domain & Customer Data for 3 Months
On April 6, 2025, security researcher Bob Diachenko, in collaboration with analysts from the Cybernews team, discovered an unprotected Elasticsearch server belonging to Openprovider. This incident resulted in the inadvertent exposure of critically sensitive data to the public domain.
Elasticsearch, a system designed for high-speed data analysis and search, is widely employed for monitoring purposes. However, when misconfigured, it can unwittingly disclose internal data—precisely what occurred in this case.
The compromised server contained extensive logs detailing domain registration events, client activity, internal API requests, and, notably, authCodes—unique identifiers used for transferring domains between registrars. These codes, in essence, serve as passwords to digital assets and could be exploited by malicious actors to hijack domain ownership.
The logs also recorded personalized metadata: usernames, reseller IDs, WHOIS privacy status, and raw records of the registration process. Most alarmingly, even domain owners who had paid for anonymization services found their private information—including postal addresses, phone numbers, and email data—exposed in plain text.
Researchers estimate that the server housed approximately a dozen indices, collectively amounting to 164 gigabytes of data. One index contained a multi-year history of domain registrations, while others captured internal communications with clients—ranging from notifications to service announcements.
Among the most sensitive records were combinations of domain names with their respective authorization codes, technical and administrative identifiers, user data, and backend handles. This constellation of information could enable unauthorized control over digital properties without the owner’s consent.
Beyond direct domain takeover, the leak provides fertile ground for phishing schemes and targeted fraud. With access to reseller and administrator contact details, threat actors could impersonate legitimate communications or construct elaborate social engineering attacks.
The scale of this breach is such that, under adverse circumstances, it could have become one of the most consequential incidents in recent memory. The hijacking of domains belonging to major enterprises, followed by content tampering, could lead to massive data leaks and a catastrophic erosion of trust in the global internet infrastructure.
The leak also exposed internal workings of Openprovider: response templates, process identifiers, and the architecture of batch operations. These fragments could allow adversaries to reconstruct the company’s server logic and orchestrate precision attacks on its infrastructure.
Additionally, the breach enabled the correlation of numerous domains managed by the same developers. Such associations can reveal clusters of websites with shared characteristics, potentially exposing repeated vulnerabilities across them.
Upon discovering the issue, researchers promptly contacted the company. Openprovider confirmed the data exposure and, by April 7, had secured the server. It was later revealed that the system had remained publicly accessible for three months, during which anyone could download the data without restriction.
Openprovider, a Netherlands-based firm accredited by ICANN, manages millions of domains globally and provides hosting infrastructure, cloud services, and domain registration solutions—primarily serving corporate clients and agencies. While its main market is Europe, its operations span other regions as well.
In official statements, the company pledged to notify affected parties in its upcoming newsletter. It also announced a review of internal security procedures and the launch of a bug bounty program to encourage vulnerability reporting.
Though Openprovider had already been utilizing external security testing services, it now plans to tighten access policies and strengthen server configuration oversight.
This incident serves as yet another stark reminder: even mature IT companies are not immune to the consequences of misconfiguration. Had this dataset fallen into the hands of cybercriminals, the damage could have affected thousands of organizations and millions of users. To mitigate such risks, regular security audits and adherence to best practices in infrastructure protection are imperative.
