Dutch Domain Registrar Openprovider Exposes 164GB of Sensitive Data in Elasticsearch Misconfiguration
Dutch domain registrar Openprovider inadvertently exposed nearly 164GB of internal and customer data for three months due to a misconfigured Elasticsearch instance. The breach, discovered by SecurityDiscovery researcher Bob Diachenko and the Cybernews team, put millions of domains at risk by leaking sensitive information, including domain registration details, transfer authentication codes, internal response payloads, and customer actions.
The unsecured database also revealed personally identifiable information (PII) such as usernames, addresses, phone numbers, reseller IDs, WHOIS privacy status, and raw domain provisioning records. Cybernews researchers warned that the exposure could have enabled targeted cyberattacks, as unredacted domain records would allow threat actors to identify websites with shared vulnerabilities—potentially leading to widespread exploitation.
The Elasticsearch instance has since been secured, but the prolonged exposure underscores the risks of improperly configured cloud databases in the domain registration ecosystem.
Source: https://www.scworld.com/brief/massive-openprovider-leak-threatens-web-domains
Openprovider cybersecurity rating report: https://www.rankiteo.com/company/openprovider
"id": "OPE1767778930",
"linkid": "openprovider",
"type": "Breach",
"date": "6/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Millions of domains at risk',
'industry': 'Technology/Internet Services',
'location': 'Netherlands',
'name': 'Openprovider',
'type': 'Domain Registrar'}],
'attack_vector': 'Misconfigured Database',
'data_breach': {'personally_identifiable_information': ['Usernames',
'Addresses',
'Phone numbers'],
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Domain registration data',
'Internal response payloads',
'Customer actions',
'Domain transfer authentication '
'codes',
'Usernames',
'Addresses',
'Phone numbers',
'Reseller IDs',
'WHOIS privacy status',
'Raw domain provisioning '
'records']},
'description': 'Dutch domain registrar Openprovider had almost 164 GB of '
'internal and customer data accidentally exposed for three '
'months as a result of a misconfigured Elasticsearch instance, '
'putting the security of millions of domains at risk. The '
'exposed data included domain registration data, internal '
'response payloads, customer actions, domain transfer '
'authentication codes, usernames, addresses, phone numbers, '
'reseller IDs, WHOIS privacy status, and raw domain '
'provisioning records.',
'impact': {'brand_reputation_impact': 'Potential reputational damage',
'data_compromised': '164 GB of internal and customer data',
'identity_theft_risk': 'High',
'operational_impact': 'Potential risk to millions of domains',
'systems_affected': 'Elasticsearch instance'},
'post_incident_analysis': {'root_causes': 'Misconfigured Elasticsearch '
'instance'},
'references': [{'source': 'Cybernews'},
{'source': 'SecurityDiscovery researcher Bob Diachenko and '
'Cybernews research team'}],
'response': {'containment_measures': 'Database secured',
'third_party_assistance': 'SecurityDiscovery researcher Bob '
'Diachenko and Cybernews research '
'team'},
'title': 'Openprovider Data Exposure Due to Misconfigured Elasticsearch '
'Instance',
'type': 'Data Exposure',
'vulnerability_exploited': 'Unprotected Elasticsearch instance'}