Security researcher Troy Hunt recently learned that a hacker had breached the free Web hosting service 000webhost and published more than 13 million users’ names, email addresses and plain text passwords.
Hunt was alerted to the breach by an anonymous note stating, “Hey, approximately 5 months ago, a certain hacker hacked into 000webhost and dumped a 13 million database consisted of name, last name, email and plaintext password.”
In an attempt to follow up on the issue, Hunt spent more than two days trying to get a reponse from 000webhost before he gave up. Via Twitter, he was able to get confirmation from the company’s users that the data dump was legitimate, and appeared to have been first released in March 2015.
One person told Hunt, “The database is selling for upwards of $2,000 right now, I can’t understand which moron would be considering giving you a copy for free when people can make some serious money from this database.”
It appears that all 000webhost user passwords have now been reset, and a message at 000webhost.com currently states, “Due to security breach, we have set www.000webhost.com website on maintenance until issues are fixed. Thank you for your understanding and please come back later.”
And in a statement on its Facebook page, the company wrote, “We have witnessed a database breach on our main server. A hacker used an exploit in old PHP version of the website gaining access to our systems, exposing more than 13.5 million of our customers’ personal records. The stolen data includes usernames, passwords, email addresses, IP addresses and names.”
“We became aware of this issue on the 27th of October and since then our team started to troubleshoot and resolve this issue immediately,” 000webhost added. “We are still working 24/7 in order to identify and eliminate all security flaws. Additionally, we are working on upgrading all of our systems. We will get back to providing the service to our users soon.”
MicroStrategy president Jonathan Klein told eSecurity Planet by email that the 000webhost breach further exposes the password as an outdated security measure. “During the customer sign-up process, 000webhost permitted the user’s account name and password to be displayed in plain text in the address bar of the web browser, meaning that anyone with access to the website logs would also have the ability to access the user credentials,” he said.
“The credentials were also stored unencrypted on 000webhost’s servers,” Klein added. “At the very least, 000webhost should have encrypted all customer information in transit and at rest. But even better, they should have taken advantage of advanced security techniques, like multi-factor authentication, so user accounts would not be exposed to a simple breach of passwords.”