13 million plaintext passwords leak from free webhosting firm

Sometimes you do get what you pay for.

In the case of webhosting firm 000Webhost you paid nothing to have your site hosted on their servers, and you got next to no security.

Because, as a leak of over 13 million passwords from the service has revealed, 000Webhost was recklessly storing its customers’ passwords as plaintext – one has to assume that words such as hashing, salting and encryption are not in their dictionary.

A cheery message on the front page of the 000Webhost website now thanks for customers for their understanding:

Important! Due to security breach, we have set www.000webhost.com website on maintenance until issues are fixed. Thank you for your understanding and please come back later.

But according to security expert Troy Hunt, who first made details of the data breach public, the warning was only displayed after he spent days attempting to find anyone at 000webhost would respond to his concerns that 13 million customer records had been stolen from the firm over five months before, as well as a number of security issues with the website.

Extraordinarily, Hunt says he has still not received any acknowledgement from the firm concerning the breach from 000webhost or sister companies Hosting24 and Hostinger. One has to assume that they also have not proactively contacted users exposed by the hack, and warned them that they should ensure that they are not using the same passwords on another online account.

Because everyone should run a strict “one password, one website” policy. Reusing passwords is playing Russian roulette with your online identity and (potentially) your finances. It’s very common for hackers who have stolen data from one site to then see if they can unlock accounts on other websites using the same credentials.

And you know what? More times than not, it works.

Internet users need to learn that the biggest password problem is not actually dumb, guessable passwords. The biggest password problem is reuse.

There’s not much you can do to stop companies from being irresponsible with the information you have entrusted them with, but you can make certain that if your password is stolen from a particular service that it will not start a ‘domino effect’ of your other online accounts falling into the hands of hackers.

000Webhost may not have responded to Troy Hunt, but it has finally made some statements about the security breach – posting a message on its Facebook page, revealing that the hacker exploited an old, vulnerable version of PHP.

Source: Facebook

It’s hard to reconcile 000Webhost’s claim that they are “committed to protect user information” with the revelation that it was *plaintext* passwords that the hackers were able to get their claws on.

Troy Hunt says he has now added 13,545,468 000webhost email addresses to his excellent and strongly-recommended Have I Been Pwned service which notifies internet users if their details were included in a data breach.