000webhost suffers major data breach, loses 13 million plaintext passwords

News by Roi Perez

Thirteen million customers of the "free" web hosting company 000Webhost have suffered following a significant data breach, with data reportedly already for sale on underground markets.

Thirteen million customers of the "free" web hosting company 000Webhost have been told that the company has experienced a significant data breach.

Data stolen includes customer names, emails and plaintext passwords. It has been reported that the data has already been put up for sale on underground markets and sources have claimed that cyber-criminals were "already making money" from the breached data.

According to security researcher Troy Hunt, the data breach occurred nearly five months ago. Hunt, who runs Have I Been Pwned, a site that helps you figure out if your name shows up in data dumps, said he was contacted by someone with knowledge of the data breach.

According to Hunt,  the individual claimed to have checked that the data wasn't made up before attempting to report it to 000Webhost. Once reported, Hunt said that 000Webhost never responded to him.

000Webhost said on its Facebook page that it has reset all users' passwords as of Wednesday, 28 October 2015. According to the company's Facebook post:

“A hacker used an exploit in old PHP version to upload some files, gaining access to our systems. Although the whole database has been compromised, we are mostly concerned about the leaked client information.”

The company said it removed "illegally uploaded pages," changed all passwords to "random values," and "increased their encryption to avoid such mishaps in the future".

Security breach

The 000Webhost.com website was down for "maintenance" on Thursday (29 October, 22:00 GMT), with the following message:

Important! Due to security breach, we have set www.000webhost.com website on maintenance until issues are fixed. Thank you for your understanding and please come back later.

000Webhosting has come under fire for not taking the adequate measures to protect its customer data and cutting corners with online security.

SCMagazineUK.com understands from sources that there is a rise in companies that aren't constantly monitoring their security, and rather only ensuring they are PCI DSS compliant when it comes to the yearly check.

Ilia Kolochenko, CEO of High-Tech Bridge, explained that “being SSL/TLS compliant and securing a website are not the same thing, but are generally indicative of each other. If one is weak, generally the other one will be as well”.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews