The world’s most popular free web hosting company, 000webhost, has suffered a major hack which has exposed client data and user credentials for more than 13 million of its customers. The stolen data includes usernames and passwords in plain text alongside full names and IP addresses of close to 13.5 million of its customers. The service claimed that they provide reliable and high speed webhosting free of cost.
The leaked data was also obtained by Troy Hunt, an Australian Security researcher and the person behind HaveIBeenPwned.com which is a service that helps people check if their personal data has been exposed in any website data breaches. Hunt received the data from someone who contacted him and told him that the hack happened five months ago.
The Aussie researcher, Hunt, also contacted five of the 000webhost customers and confirmed that the leak was authentic by verifying their names, passwords, emails address and IP addresses they used to access 000webhost. Hunt wrote in a blog post:
By now there’s no remaining doubt that the breach is legitimate and that impacted users will have to know.
Thomas Brewster, a Forbes security researcher, and Hunt worked very hard to try and notify the company official via emails, social networks and phone calls to get them to notify their users of the data breach. So far, all their efforts have been in vain and the company has not responded but has started to ask customers who try to login to set new passwords as they have been reset “by 000Webhost system for security reasons.”
The company hadn’t removed a subsequent post asking why the messages had been deleted…
Meanwhile, as the forum post above indicated, 000Webhost continues to try to upsell to its “partner” services. Hunt highlighted an email he’d received today from 000Webhost advertising Hostinger as “the biggest free web hosting provider in United Kingdom”. Again, there was no warning of any possible security issue.
The company has tried various tactics to get users to move over to other Hostinger services before. On its homepage it promotes hosting24.com as a premium $4.84 a month service. A number of users have also complained their websites carried pop-up ads for the parent company. It would appear 000Webhost is the free-of-charge hook used to acquire customers, before they’re reeled in for, apparently, better and safer products.
Last night, the company finally let its customers know about the hack in a brief Facebook post:
We have witnessed a database breach on our main server. A hacker used an exploit in old PHP version to upload some files, gaining access to our systems. Although the whole database has been compromised, we are mostly concerned about the leaked client information.
Troy Hunt discovered a number of other weaknesses in the websites unencrypted HTTP communications and the resulting login page which included the user’s password in plain text in the page’s code.
Anyone who has a 000webhost account should stay alert and change their passwords if they used the same passwords for other services as well. Website hacks have been becoming much more common and while most websites encrypt passwords, it would be much safer to have unique and strong passwords for every service used online.