There’s another data breach to report – and it’s a big one, affecting approximately 13 million customers of the “free” web hosting company 000Webhost.
The breached data, which includes customer names, emails and plaintext passwords (in other words, the passwords weren’t securely stored), has reportedly been put up for sale on underground markets.
What’s worse, the data breach happened some five months ago, according to security researcher Troy Hunt, who first reported the breach on his blog.
So cybercriminals had a big head start, and could have used the stolen credentials to access more than just 000Webhost clients’ websites and databases.
The crooks have likely been trying those usernames and passwords against other sites, too.
This is why we always say, “One account, one password.”
If you reuse the same password at multiple sites, your security is only as strong as the least secure one.
Hunt – who runs Have I Been Pwned, a site that helps you figure out if your name shows up in data dumps – said he was contacted by someone with knowledge of the data breach, and claims to have checked that the data wasn’t made up before attempting to report it to 000Webhost.
According to Hunt, 000Webhost never responded to him.
One of Hunt’s sources claimed that cybercriminals were “already making money” from the breached data.
000Webhost said on its Facebook page that it has reset all users’ passwords as of Wednesday, 28 October 2015.
According to the company’s Facebook post:
A hacker used an exploit in old PHP version to upload some files, gaining access to our systems. Although the whole database has been compromised, we are mostly concerned about the leaked client information.
The company said it removed “illegally uploaded pages,” changed all passwords to “random values,” and “increased their encryption to avoid such mishaps in the future.”
The 000Webhost.com website was down for “maintenance” on Thursday (29 October, 22:00 GMT), with the following message:
Important! Due to security breach, we have set www.000webhost.com website on maintenance until issues are fixed. Thank you for your understanding and please come back later.
Your understanding?
There’s not much to understand, except that a company that really ought to know the basics of security – a web hosting service! – cut such a big corner.
For all that 000Webhost was itself the victim of a criminal attack, you’d have thought they could have done better than plaintext passwords…in 2015.
And “please come back later?”
Well, at least they said “please.”
Learn more
💡 Is it *really* such a bad idea to use a password twice? ►
💡 How to pick a proper password ►
💡 Storing passwords safely ►
(No video? Watch directly from YouTube. No audio? Click on the Captions icon.)
Image of birds escaping a cage courtesy of Shutterstock.com.
jejaffe
Troy Hunt, not “Hunter”
Paul Ducklin
Fixed, thanks.
jejaffe
You are welcome. This just popped up on my Firefox. I’ve never seen a message via this avenue. Please, to what did you send your reply?
Andy
Troy’s last name is ‘Hunt’ not ‘Hunter’.
He isn’t ‘proprietor of an identity theft service’ – see https://haveibeenpwned.com/About for details of what his site provides.
Paul Ducklin
I tweaked it. Thanks.
“Identity theft service” sounds a bit…well, I nearly said Ex????an, but managed not to :-)
Anonymous
Correction: it’s Troy Hunt, not Hunter.
Paul Ducklin
Sorted, thanks.
jaynturner
I stopped using 000webhost when I forgot my password and they sent it to me in plaintext. I knew the website wasn’t secure then and I took all my files down.
Paul Ducklin
Good move.
Michael
Same here. Unfortunately, they don’t seem to care to delete old user accounts. I have deleted mine about a year ago but still find the sign-up email on haveibeenpwned.com. As I signed up with a disposable email that I used for this specific purpose, it must come from them. Luckily, I adhere to the one site one password policy :) Let’s see if I will receive a notification on that email address.
InfoSecJobs
I’ve worked with a number of different hosting companies. I can say that this is definitely the standard and not the exception.
Will
I think an interesting takeaway from this is the level of response free services owe their customers when something like this happens. If they were smart, no doubt their ToS indemnifies them from fallout with this sort of thing (for however long that’s held up in court).
P.S. – While the “your understanding” bit is a cute headline and this is no doubt an embarrassing lack of good security practices, I do think that’s something you’d typically put up on a landing page when your site is down for an extended period. I don’t think it was meant as the sole apology for the incident.
000webhost
A message from CEO Arnas Stuopelis about 000webhost data breach.
We have witnessed a database breach on our main server. A hacker used an exploit in old PHP version of the website gaining access to our systems, exposing more than 13.5 Million of our customers’ personal records. The stolen data includes usernames, passwords, email addresses, IP addresses and names.
We became aware of this issue on the 27th of October and since then our team started to troubleshoot and resolve this issue immediately. We are still working 24/7 in order to identify and eliminate all security flaws. Additionally, we are working on upgrading all of our systems. We will get back to providing the service to our users soon.
At 000webhost our top priority is to provide free quality web hosting for everyone. The 000webhost community is a big family, exploring and using the possibilities of the internet together. For millions of people our services are an opportunity to be present on the internet and learn more about technology.
At Hostinger and 000webhost we are committed to protect user information and our systems. We are sorry and sincerely apologize we didn’t manage to live up to that. In an effort to protect our users we have temporarily blocked all access to systems affected by this security flaw. We will re-enable access to affected systems after an investigation and once all security issues have been resolved.
Our user’s sites will stay online and will be fully functional during this investigation. We will fully cooperate with law enforcement authorities. At the same time our internal investigation has been started. We advise our customers to change their passwords and use different passwords for other services.
Our other services such as Hosting24 and Hostinger are not affected by this security flaw and are fully secure and operational.
Ocean Midge
“We are still working 24/7 in order to identify and eliminate all security flaws.”
“Our other services such as Hosting24 and Hostinger are not affected by this security flaw and are fully secure”
Ever heard the expression “Information Security is a journey, not a destination”?
You will never eliminate all security flaws, and your services never are and never will be fully secure.
And to come to an information security-focussed site, and claim “we are committed to protect user information and our systems” on the same page that tells us that you were using an unpatched version of PHP on an internet-facing system and you didn’t encrypt any user information is completely farcical.
John
“increased the level of encryption to prevent such issues in the future.”, that line makes me laugh. Bit difficult to “increase the level of encryption” if there was no encryption in the first place.
Bryan
au contraire…
when using zero encryption, even rot13 would be a step up
:-)