Databases
Every database across the infrastructure and which application owns it.
Production droplet — MySQL 8.0.44 (local)
| Database | Used by | Engine | Notes |
|---|---|---|---|
hatch | hatch.social (WordPress) | MySQL local | Table prefix uDFnVS0xv_ |
hatch-web | web.hatch.social (WordPress) | MySQL local | Table prefix wp_ |
hatch-social-test | api.hatch.social (Laravel API) | MySQL local | test data, not prod |
hatch-social → remote | dash.hatch.social (Laravel dashboard) | DO Managed MySQL | Real production data — see below |
On the production droplet, MySQL listens on 0.0.0.0:3306 (and X-protocol on 33060). Confirm the DigitalOcean Cloud Firewall blocks these ports from the public internet.
Production data — DigitalOcean Managed MySQL
| Host | db-hatchsocial-prod-do-user-17843709-0.m.db.ondigitalocean.com |
|---|---|
| Port | 25060 (TLS) |
| Database | hatch-social |
| Consumed by | The Laravel dashboard (dash.hatch.social) |
| Significance | This managed cluster holds the real production application data for the dashboard. It is the most important data store to protect and back up. |
Staging VM — MariaDB 10.11.14 (local)
| Database | Used by | Notes |
|---|---|---|
wordpress | The empty WordPress install on 206.189.206.251 | 12 default tables, 1 user — placeholder content only. Bound to localhost. |
Loose database dumps found in source control
The backend repo (redesigned-spoon-Dashboard) has two MySQL dumps checked in under public/, the web-served directory:
public/hatch-social (16).sql(~395 KB)public/u610221546_hatch_social (2).sql(~113 KB)
The u610221546_ prefix is the format Hostinger uses for shared-hosting database names — another hint the backend has lived on third-party hosting. Anything in public/ can be downloaded over the web if deployed as-is. These dumps should be removed from the repo and the history scrubbed, then treated as potentially leaked.
Where mobile data actually lives — open question
The shipping mobile app points at hatch-social.cstmpanel.com, not at api.hatch.social. Whatever database that host uses is the real production datastore for the mobile experience, and it is currently outside your audited infrastructure. Resolving this is the top item on the Findings page.