Webhosting company loses 13 million plaintext passwords, says “thanks for your understanding”

Share this…

Free

There’s another data breach to report – and it’s a big one, affecting approximately 13 million customers of the “free” web hosting company 000Webhost.

The breached data, which includes customer names, emails and plaintext passwords (in other words, the passwords weren’t securely stored), has reportedly been put up for sale on underground markets.

What’s worse, the data breach happened some five months ago, according to security researcher Troy Hunter, who first reported the breach on his blog.

So cybercriminals had a big head start, and could have used the stolen credentials to access more than just 000Webhost clients’ websites and databases.

The crooks have likely been trying those usernames and passwords against other sites, too.

This is why we always say, “One account, one password.”

If you reuse the same password at multiple sites, your security is only as strong as the least secure one.

Hunter – proprietor of an identity theft service called Have I Been Pwned – said he was contacted by someone with knowledge of the data breach, and claims to have checked that the data wasn’t made up before attempting to report it to 000Webhost.

According to Hunter, 000Webhost never responded to him.

One of Hunter’s sources claimed that cybercriminals were “already making money” from the breached data.

000Webhost said on its Facebook page that it has reset all users’ passwords as of Wednesday, 28 October 2015.

According to the company’s Facebook post:

A hacker used an exploit in old PHP version to upload some files, gaining access to our systems. Although the whole database has been compromised, we are mostly concerned about the leaked client information.

The company said it removed “illegally uploaded pages,” changed all passwords to “random values,” and “increased their encryption to avoid such mishaps in the future.”

The 000Webhost.com website was down for “maintenance” on Thursday (29 October, 22:00 GMT), with the following message:

000webhost website maintenance

Important! Due to security breach, we have set www.000webhost.com website on maintenance until issues are fixed. Thank you for your understanding and please come back later.

Your understanding?

There’s not much to understand, except that a company that really ought to know the basics of security – a web hosting service! – cut such a big corner.

For all that 000Webhost was itself the victim of a criminal attack, you’d have thought they could have done better than plaintext passwords…in 2015.

And “please come back later?”

Well, at least they said “please.”

Source: sophos.com