Webhosting company loses 13 million plaintext passwords, says “thanks for your understanding”

Free

There’s another data breach to report – and it’s a big one, affecting approximately 13 million customers of the “free” web hosting company 000Webhost.

The breached data, which includes customer names, emails and plaintext passwords (in other words, the passwords weren’t securely stored), has reportedly been put up for sale on underground markets.

What’s worse, the data breach happened some five months ago, according to security researcher Troy Hunt, who first reported the breach on his blog.

So cybercriminals had a big head start, and could have used the stolen credentials to access more than just 000Webhost clients’ websites and databases.

The crooks have likely been trying those usernames and passwords against other sites, too.

This is why we always say, “One account, one password.”

If you reuse the same password at multiple sites, your security is only as strong as the least secure one.

Hunt – who runs Have I Been Pwned, a site that helps you figure out if your name shows up in data dumps – said he was contacted by someone with knowledge of the data breach, and claims to have checked that the data wasn’t made up before attempting to report it to 000Webhost.

According to Hunt, 000Webhost never responded to him.

One of Hunt’s sources claimed that cybercriminals were “already making money” from the breached data.

000Webhost said on its Facebook page that it has reset all users’ passwords as of Wednesday, 28 October 2015.

According to the company’s Facebook post:

A hacker used an exploit in old PHP version to upload some files, gaining access to our systems. Although the whole database has been compromised, we are mostly concerned about the leaked client information.

The company said it removed “illegally uploaded pages,” changed all passwords to “random values,” and “increased their encryption to avoid such mishaps in the future.”

The 000Webhost.com website was down for “maintenance” on Thursday (29 October, 22:00 GMT), with the following message:

000webhost website maintenance

Important! Due to security breach, we have set http://www.000webhost.com website on maintenance until issues are fixed. Thank you for your understanding and please come back later.

Your understanding?

There’s not much to understand, except that a company that really ought to know the basics of security – a web hosting service! – cut such a big corner.

For all that 000Webhost was itself the victim of a criminal attack, you’d have thought they could have done better than plaintext passwords…in 2015.

And “please come back later?”

Well, at least they said “please.”

Learn more

💡 Is it *really* such a bad idea to use a password twice? ►

💡 How to pick a proper password ►

💡 Storing passwords safely ►

(No video? Watch directly from YouTube. No audio? Click on the Captions icon.)

Image of birds escaping a cage courtesy of Shutterstock.com.