Did pihole mail donation list got leaked?

Hey, I just got a weird spam mail to my iCloud. I've been using "hide my email"-functionality that iCloud offers (or catch-all@mydomain if don't need to hide as much) for online forms that asks for my mail.

I have been using pihole for years and enjoy it, thus I donate from time to time to support the project. This year I have donated two times. 2nd of Februari 2025 I created a "hide my email"-adress which I used for Pihole donation. I today received a spam mail to this account.

The "hide my email"-addresses are single use and never reused. They are created on the fly. I'm able to lookup all created addresses and I usually attach a comment to remember why I created it.

I'm quite sure Pihole as an organization does not sell the data hence I'm asking did anyone else got this spam? I got it 16.12 today.

I can share more details about the spam-sender to anyone interested, please contact me by PM.

Looking in to it now. We don't store any information like credit card numbers, that's all handled directly with the card processors (Stripe or PayPal). The email address is used purely so donors can look up past donations or manage (cancel) ongoing donations.

We're still researching and waiting for responses from our web host and the donation plugin creators.

What I am pretty sure happened is the following:

Our donation software is a WordPress plugin. Part of that integration creates a local WordPress user account to allow for donors to access their donation records or manage any recurring payment setups.

Those local WordPress user accounts were able to be enumerated, probably through the WordPress xmlrpc. We used to self-host the WordPress install on AWS but their pricing is just too much so we moved to a shared host around a month ago. The WP security plugin was not migrated as the host had some of their own security features. I have since re-enabled the WP security plugin and we've run some scans and do not see any exploits.

The extent of the data available was:

  1. What ever name/names you typed in the fields
  2. The email address you used.

That's it. We don't have access to or store any credit card numbers or verified names or addresses or phone numbers. Any PII is maintained directly by the card processors, Stripe or PayPal. We make it clear in the donation form that we don't require a valid name or email address, it's purely for users to see and manage their donations.

Donation history requires an email sent with a one time access URL, you can't access any of that with just an email address alone.

So, yeah, this sucks and yes, this isn't what I'd like to have happened. But this is also why we do not ask for and do not collect any PII, I'm of the belief that anything you put out on the internet is going to be seen at some point in time. So instead of trying to protect information, we just don't collect it.

I've asked the donation plugin maintainers if there's a way to stop the creation of local WP accounts and to remove any accounts that were created in the past.

3 Likes

Thanks for looking it up, I'm personally not affected since I used a disposal mail just for this specific thing might happened but I wanted you guys to know in case it was something you wanted/needed look into.

1 Like

Waiting to hear exactly what this fix entails or how it was exploited

Here it is:

3 Likes

I‘ve read your blog post on this. Great post with a satisfying, outstanding level of transparency.

One remaining question in the shadow of the plugin authors reaction ([RESOLVED] GiveWP plugin is exposing donors name and email addresses directly in the source code · Issue #8042 · impress-org/givewp · GitHub): are you considering to replace that plugin?

Wow, even HIBP indexed this already:

I appreciate the post and all but the ball was dropped by not notifying any of your donors!! - and that's why I pulled my monthly donations of 7 years. It wasn't much, but PiHole failed to notify the people effected directly.

I mean they did a whole post mortem on the blog and submitted the leak to ihavebeenpwnd - thats a lot better then what most companies do when this type incident happens

I am also not sure how effective the donor email list would be for notifying people because you could literally put any information you wanted in those fields.

1 Like

Yes the analysis and post mortem are great resources in describing what happened and why.

Still misses the point... a simple message to the donor list would have taken minutes, and if donors put valid email addresses in, donors would have been informed. Finding out by HIBP isn't how I wanted to find out.

Its up to you its your money.

I just think it seems a bit hasty to be mad about how you were notified when @DanSchaper just started looking into it a week ago and you are already aware of the leak and know exactly what happened. To me, that seems like a pretty stellar level of communication.

1 Like

You (and I) found out via HIBP because Pi-hole notified them and because you've already asked HIBP to monitor your domain/email addresses for any such notifications.

In otherwords, you found out thanks to Pi-hole's diligent response and recovery actions, our (me and you) planning in advance to use HIBP for qualified notifications, and Pi-hole's use of HIBP in their incident response.

I say qualified, because the donation box itself makes it clear you can enter a fake email address for a one-off donation. If Pi-hole was trying to use the donation email list, they themselves would have to acquire the same leaked addresses and then essentially 'spam' them with a notification. That makes no sense, and I didn't sign up for such emails from Pi-hole – but I did sign up for exactly those kind of emails from the HIBP service, as did you.

The issue was out of Pi-hole's control but they 100% owned and acted on the part they could own and did their own post-mortem, blog post and disclosure irrespective of the poor response from the third party.

Since all this, GiveWP have published a response.

2 Likes

A 'simple message to the donor list' was impossible. The list contained 33k email addresses, a good portion of which were not real. There is no email host on the planet that would allow 33k emails to go out and have a great number of them bounce. That immediately looks like spam to Google, Microsoft, all the major email hosts and would blacklist the email provider.

I wasn't going to send out 33k emails. That's why we provided the list to HIBP. People that would like to receive the information that their emails were leaked would likely be HIBP subscribers, and Troy confirmed a large percentage of the emails that he sent via HIBP went to HIBP subscribers.

I know you're mad. I was incensed when this happened. I though we lost all of the trust we worked so hard to gain from the Pi-hole Community and I felt like I personally let everyone down.

I'm not sure what me emailing you directly would have accomplished, you got the HIBP email. That's why HIBP exists. I'm sorry that you pulled your donations but I don't see how you can relate the donations to help support Pi-hole, to the software that Pi-hole creates and supports. To me, pulling a donation means that you are pulling your support for Pi-hole. But it's your choice to make and I won't try to push you in one direction or the other.

2 Likes

Oh god yes.

I thought I read somewhere that supporting pi-hole via GitHub Sponsors is a "better" and more direct way. And with "direct" I mean there are no 3rd-parties involved that receive the money and also keep a percentage on this.
Which is why I am supporting this project through GitHub Sponsors.

Is this indeed still the preferred way? And now a safer bet than going via the wordpress plugin?

Yes, GitHub Sponsors gets everything you donate to us, and that is the best of all available options.

Going through the WP plugin uses PayPal or Stripe to process the transaction, and the associated fees are subtracted from the amount. There is the "I'll pay the fee" option but that means you have to donate more to cover the fee. Smaller donations in the $1USD to $3USD are basically nullified if the transaction fees are not covered.

1 Like

I have google domains blocked. github donations dont work when done so.

Have 2 pages of google domains blocked.

Hi,

my first post so please be nice :wink:.

As I am a happy user, donor and also affected I want to thank the team and Dan (intentionally not memtioning him, could not even dream of how much sleepless he must have been recently) for taken the right actions, good incident postmortem.

But still there is action to take. The data is availlable online as of today. Reading the github issue anyone may get „where“ and an idea how many „others“ will be affected given the distribution of the plugin.

I personally will sent an GDPR notification to the involved parties to make them aware of the still not solved data breach but not post information in public for obvious reasons. I hope you understand.

If you want to send me a private message with what indexers you see the data on then I can try to see if they will remove it. I think you can assume that it’s already all been scraped and sold to whomever would buy it.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.