Pi-hole Data Breach Exposes Nearly 30,000 Donor Emails via WordPress Plugin Flaw

In late July 2025, a Pi-hole data breach exposed the names and email addresses of nearly 30,000 donors, sparking concern among users and cybersecurity professionals. An exploit that led to the leakage was said to be in WordPress, and in donations software named GiveWP used on the official site of Pi-hole. Though the bug did not affect the software of the Pi-hole directly, it made some noise about the security of third-party programs that are used in the open-source initiatives.

The issue was first detected after donors received phishing emails sent to addresses specifically created for Pi-hole donations. It was found that a vulnerability in GiveWP can expose donor information in the source code of the site, so names and emails became visible to web scrapers and other ill-intentioned individuals. A patch has been issued by the vendor of the plugin sometime after the problem was found, but there is still concern about the time lag that was experienced between the discovery and disclosure.

The sounding board of the entire episode was Pi-hole, which has produced a detailed post-mortem on July 30, which reassured users that its DNS-blocking software was not affected. It also reported breaches to the general breach database called Pwned, where the customer could check whether their information was compromised. Nevertheless, a reaction in some quarters was that too much time had passed between the disclosure of plugin-related information.

Cybersecurity experts stressed that such an event highlighted the danger of using third-party plug-ins, even when they have an excellent reputation. Pi-hole data breach is a reminder that auxiliary systems and donation systems should pass the same amount of scrutiny as the main software. Transparency and rapidity of reaction were praised, however, the incident still revealed some systemic risks of the open-source infrastructure.

On the part of the donor, some of the recommended steps are to watch out against phishing attacks, strong and unique password selection, and applying two-factor authentication where feasible. Pi-hole users who do not contribute to the service or use the donation system on the website do not have to worry about this breach. The incident, however, forms a lesson on the dark side of software ecosystems that are sometimes held as safe.