Did pihole mail donation list got leaked?

Hey, I just got a weird spam mail to my iCloud. I've been using "hide my email"-functionality that iCloud offers (or catch-all@mydomain if don't need to hide as much) for online forms that asks for my mail.

I have been using pihole for years and enjoy it, thus I donate from time to time to support the project. This year I have donated two times. 2nd of Februari 2025 I created a "hide my email"-adress which I used for Pihole donation. I today received a spam mail to this account.

The "hide my email"-addresses are single use and never reused. They are created on the fly. I'm able to lookup all created addresses and I usually attach a comment to remember why I created it.

I'm quite sure Pihole as an organization does not sell the data hence I'm asking did anyone else got this spam? I got it 16.12 today.

I can share more details about the spam-sender to anyone interested, please contact me by PM.

Looking in to it now. We don't store any information like credit card numbers, that's all handled directly with the card processors (Stripe or PayPal). The email address is used purely so donors can look up past donations or manage (cancel) ongoing donations.

We're still researching and waiting for responses from our web host and the donation plugin creators.

What I am pretty sure happened is the following:

Our donation software is a WordPress plugin. Part of that integration creates a local WordPress user account to allow for donors to access their donation records or manage any recurring payment setups.

Those local WordPress user accounts were able to be enumerated, probably through the WordPress xmlrpc. We used to self-host the WordPress install on AWS but their pricing is just too much so we moved to a shared host around a month ago. The WP security plugin was not migrated as the host had some of their own security features. I have since re-enabled the WP security plugin and we've run some scans and do not see any exploits.

The extent of the data available was:

  1. What ever name/names you typed in the fields
  2. The email address you used.

That's it. We don't have access to or store any credit card numbers or verified names or addresses or phone numbers. Any PII is maintained directly by the card processors, Stripe or PayPal. We make it clear in the donation form that we don't require a valid name or email address, it's purely for users to see and manage their donations.

Donation history requires an email sent with a one time access URL, you can't access any of that with just an email address alone.

So, yeah, this sucks and yes, this isn't what I'd like to have happened. But this is also why we do not ask for and do not collect any PII, I'm of the belief that anything you put out on the internet is going to be seen at some point in time. So instead of trying to protect information, we just don't collect it.

I've asked the donation plugin maintainers if there's a way to stop the creation of local WP accounts and to remove any accounts that were created in the past.

3 Likes

Thanks for looking it up, I'm personally not affected since I used a disposal mail just for this specific thing might happened but I wanted you guys to know in case it was something you wanted/needed look into.

1 Like

Waiting to hear exactly what this fix entails or how it was exploited

Here it is:

3 Likes

I‘ve read your blog post on this. Great post with a satisfying, outstanding level of transparency.

One remaining question in the shadow of the plugin authors reaction ([RESOLVED] GiveWP plugin is exposing donors name and email addresses directly in the source code · Issue #8042 · impress-org/givewp · GitHub): are you considering to replace that plugin?