Openprovider Data Leak Exposes Millions of Domains to Risk

164GB of Sensitive Data Found in Misconfigured Server

A critical security lapse at Openprovider, a major domain registrar based in the Netherlands, has exposed sensitive customer data and domain management credentials. Discovered on April 6, 2025, the breach involved over 164GB of data left open to the public via a misconfigured Elasticsearch instance.

Cybersecurity researcher Bob Diachenko, along with Cybernews, identified the exposure. The data had been accessible for roughly three months before Openprovider secured the server. The exposed information included domain transfer codes (authCodes), WHOIS-protected contact details, and internal operational logs.

AuthCodes, WHOIS Info, and Infrastructure Data at Risk

AuthCodes function like passwords for transferring domains. Their exposure puts domain owners at risk of domain hijacking, phishing attacks, and traffic redirection. Even more concerning, private details from users who paid for WHOIS privacy—including names, phone numbers, and email addresses—were also visible.

The leaked server logs revealed backend operations, client architectures, and registrar activity. These insights could help cybercriminals understand infrastructure dependencies and plan targeted attacks—especially in sensitive sectors like finance and healthcare.

Openprovider Response and Ongoing Customer Guidance

Openprovider confirmed the error and launched its incident response plan. The company plans to notify affected users and strengthen internal controls. It is also exploring the launch of a bug bounty program to prevent future misconfigurations.

Customers are advised to rotate login credentials, watch for unusual domain activity, and prepare for phishing risks. Anyone relying on domain privacy protection should assume that their identity may have been exposed.

This incident highlights how misconfigured cloud systems can expose mission-critical assets—even without any malicious intent.