Industry News

13 million plaintext passwords leak from free webhosting firm

Sometimes you do get what you pay for.

In the case of webhosting firm 000Webhost you paid nothing to have your site hosted on their servers, and you got next to no security.

Because, as a leak of over 13 million passwords from the service has revealed, 000Webhost was recklessly storing its customers’ passwords as plaintext – one has to assume that words such as hashing, salting and encryption are not in their dictionary.

A cheery message on the front page of the 000Webhost website now thanks for customers for their understanding:

000webhost

Important! Due to security breach, we have set www.000webhost.com website on maintenance until issues are fixed. Thank you for your understanding and please come back later.

But according to security expert Troy Hunt, who first made details of the data breach public, the warning was only displayed after he spent days attempting to find anyone at 000webhost would respond to his concerns that 13 million customer records had been stolen from the firm over five months before, as well as a number of security issues with the website.

Extraordinarily, Hunt says he has still not received any acknowledgement from the firm concerning the breach from 000webhost or sister companies Hosting24 and Hostinger. One has to assume that they also have not proactively contacted users exposed by the hack, and warned them that they should ensure that they are not using the same passwords on another online account.

Because everyone should run a strict “one password, one website” policy. Reusing passwords is playing Russian roulette with your online identity and (potentially) your finances. It’s very common for hackers who have stolen data from one site to then see if they can unlock accounts on other websites using the same credentials.

And you know what? More times than not, it works.

Internet users need to learn that the biggest password problem is not actually dumb, guessable passwords. The biggest password problem is reuse.

There’s not much you can do to stop companies from being irresponsible with the information you have entrusted them with, but you can make certain that if your password is stolen from a particular service that it will not start a ‘domino effect’ of your other online accounts falling into the hands of hackers.

000Webhost may not have responded to Troy Hunt, but it has finally made some statements about the security breach – posting a message on its Facebook page, revealing that the hacker exploited an old, vulnerable version of PHP.

000webhost-facebook

Source: Facebook

It’s hard to reconcile 000Webhost’s claim that they are “committed to protect user information” with the revelation that it was *plaintext* passwords that the hackers were able to get their claws on.

Troy Hunt says he has now added 13,545,468 000webhost email addresses to his excellent and strongly-recommended Have I Been Pwned service which notifies internet users if their details were included in a data breach.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

4 Comments

Click here to post a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • I’m at two minds regarding this;

    – You pay for what you get, and
    – I wonder how many other sites, hosting providers, services, etc… offer the same insecurities that haven’t be exploited/exposed?

    The webpage is redirecting to http://error.000webhost.com/ last I checked.

    I’m not how the site was prior to the redirect, but they not seem to have SSL on their main page, let alone an EV SSL.

    First appearances last and this alone would’ve deterred me from using it. Even more so now…

  • I seem to remember that this company serves (or used to) as a gateway for paying customers for hosting24.com. The latter do not even use SSL for the control panel login sequence, and refuse flatly to compensate when the guaranteed uptime promise is breached. What can be done about such companies?

  • A message from CEO Arnas Stuopelis about 000webhost data breach.

    We have witnessed a database breach on our main server. A hacker used an exploit in old PHP version of the website gaining access to our systems, exposing more than 13.5 Million of our customers’ personal records. The stolen data includes usernames, passwords, email addresses, IP addresses and names.

    We became aware of this issue on the 27th of October and since then our team started to troubleshoot and resolve this issue immediately. We are still working 24/7 in order to identify and eliminate all security flaws. Additionally, we are working on upgrading all of our systems. We will get back to providing the service to our users soon.
    At 000webhost our top priority is to provide free quality web hosting for everyone. The 000webhost community is a big family, exploring and using the possibilities of the internet together. For millions of people our services are an opportunity to be present on the internet and learn more about technology.

    At Hostinger and 000webhost we are committed to protect user information and our systems. We are sorry and sincerely apologize we didn’t manage to live up to that. In an effort to protect our users we have temporarily blocked all access to systems affected by this security flaw. We will re-enable access to affected systems after an investigation and once all security issues have been resolved.

    Our user’s sites will stay online and will be fully functional during this investigation. We will fully cooperate with law enforcement authorities. At the same time our internal investigation has been started. We advise our customers to change their passwords and use different passwords for other services.

    Our other services such as Hosting24 and Hostinger are not affected by this security flaw and are fully secure and operational.

    Contact:
    Arnas Stuopelis
    CEO, Hostinger
    press@hostinger.com