13 million plaintext passwords stolen from free webhost go public

By Shawn Knight
Oct 29, 2015
Post New Reply
  1. An Australian security researcher was recently tipped off about a five-month-old security breach involving free webhosting company 000Webhost. The anonymous tipster claimed the attacker(s) got away with sensitive information belonging to 13 million site users.

    The source further stated that the data consisted of full names, e-mail addresses and plaintext passwords. Turns out, he (or she) wasn’t bluffing.

    In a recent post on Facebook, 000Webhost said a hacker used an exploit in an old PHP version to gain access to their database. The web host said a thorough investigation is under way and that it has changed all of the passwords and increased encryption to avoid such mishaps in the future.

    Customer passwords have been reset as well and the host urges all of its users not to use the same password and to change passwords at any other site or service that shared the same login credentials.

    As Troy Hunt (the Australian security researcher) highlights, the breach shouldn’t be all that surprising after having a look at 000Webhost’s publically accessible pages. For example, the members area login is served insecurely. The site also showed up on a couple of lax security shaming sites.

    On his blog, Hunt extensively details how he came into the information, how he validated it and the numerous steps he took to try and get in touch with the company to inform them of the breach.

    Permalink to story.

  2. wiyosaya

    wiyosaya TS Maniac Posts: 939   +244

    Yet another example of brain-dead security measures. Anyone storing passwords in plain text should find themselves another job.
  3. Skidmarksdeluxe

    Skidmarksdeluxe TS Evangelist Posts: 6,341   +1,939

    When speaking on the matter, if they even decide to, they'll say "We take the security of our customers very, very seriously".
    Now where have I heard that before?...
  4. 000webhost

    000webhost TS Rookie

    We have witnessed a database breach on our main server. A hacker used an exploit in old PHP version of the website gaining access to our systems, exposing more than 13.5 Million of our customers' personal records. The stolen data includes usernames, passwords, email addresses, IP addresses and names.
    We became aware of this issue on the 27th of October and since then our team started to troubleshoot and resolve this issue immediately. We are still working 24/7 in order to identify and eliminate all security flaws. Additionally, we are working on upgrading all of our systems. We will get back to providing the service to our users soon.
    At 000webhost our top priority is to provide free quality web hosting for everyone. The 000webhost community is a big family, exploring and using the possibilities of the internet together. For millions of people our services are an opportunity to be present on the internet and learn more about technology.
    At Hostinger and 000webhost we are committed to protect user information and our systems. We are sorry and sincerely apologize we didn't manage to live up to that. In an effort to protect our users we have temporarily blocked all access to systems affected by this security flaw. We will re-enable access to affected systems after an investigation and once all security issues have been resolved.
    Our user’s sites will stay online and will be fully functional during this investigation. We will fully cooperate with law enforcement authorities. At the same time our internal investigation has been started. We advise our customers to change their passwords and use different passwords for other services.
    Our other services such as Hosting24 and Hostinger are not affected by this security flaw and are fully secure and operational.
    Arnas Stuopelis
    CEO, Hostinger

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...