An Australian security researcher was recently tipped off about a five-month-old security breach involving free webhosting company 000Webhost. The anonymous tipster claimed the attacker(s) got away with sensitive information belonging to 13 million site users.

The source further stated that the data consisted of full names, e-mail addresses and plaintext passwords. Turns out, he (or she) wasn’t bluffing.

In a recent post on Facebook, 000Webhost said a hacker used an exploit in an old PHP version to gain access to their database. The web host said a thorough investigation is under way and that it has changed all of the passwords and increased encryption to avoid such mishaps in the future.

Customer passwords have been reset as well and the host urges all of its users not to use the same password and to change passwords at any other site or service that shared the same login credentials.

As Troy Hunt (the Australian security researcher) highlights, the breach shouldn’t be all that surprising after having a look at 000Webhost’s publically accessible pages. For example, the members area login is served insecurely. The site also showed up on a couple of lax security shaming sites.

On his blog, Hunt extensively details how he came into the information, how he validated it and the numerous steps he took to try and get in touch with the company to inform them of the breach.