Pi-hole, the widely-used open-source network-wide ad blocker, has disclosed a data breach affecting nearly 30,000 of its donors. The incident was traced back to a security flaw in the GiveWP WordPress plugin, which Pi-hole utilized to manage donor information.
Incident Overview
According to an official statement from the Pi-hole team, the breach—detected on July 30, 2025—exposed the names and email addresses of 29,926 donors. The vulnerability in the GiveWP plugin inadvertently made sensitive donor data publicly accessible, requiring neither authentication nor special permissions to view the information.
The root cause was identified as a misconfiguration or security oversight within the GiveWP plugin. This flaw allowed unrestricted internet access to a database containing donor names and associated email addresses. Upon discovery, Pi-hole promptly reported the incident and submitted affected email addresses to reputable breach-notification services, including “Have I Been Pwned,” to alert potentially impacted individuals.
Impact and Risks
While no financial information or passwords were exposed, the data leak does put affected individuals at risk for phishing, identity theft, and targeted spam campaigns. Several users have reported receiving spam and phishing attempts directed to email addresses used exclusively for Pi-hole donations, further confirming the reach of the exposure.
