000webhost hacked: 13 million accounts + passwords dumped

[LeadCrow]

13 Million Passwords Appear To Have Leaked From This Free Web Host
28 October 2015

Type in “free web hosting” int Google and a variety of options are presented. Near the top is a Lithuanian company called 000Webhost. It’s high Google ranking could well be the reason it is believed to have millions of users. Unfortunately for them, all their usernames and passwords have been leaked, FORBES understands.

Earlier this week, I was contacted by Troy Hunt, Microsoft MVP and owner of haveibeenpwned.com, a website that sucks in email addresses from significant breaches so users can quickly check whether their data was compromised. Hunt informed me he’d been contacted by an anonymous source who’d passed along a database allegedly belonging to 000Webhost, containing usernames and passwords ostensibly belonging to just more than 13.5 million users. They didn’t appear to have been leaked online before and the database looked legitimate, piquing Hunt’s interest.

Hunt and I subsequently tested various emails in the database, attempting to sign up new accounts using the leaked addresses only to be told in auto-generated responses those emails were already in use by customers; a big clue indicating the database contained real user data.

Hunt spoke with five 000Webhost users, who confirmed their passwords matched with those he’d been handed. He also found his own email address in the database. It appeared someone had registered an account in Hunt’s name and could do so because 000Webhost didn’t do any validation using the email. He subsequently took control of the account by issuing a password reset.

Convinced this looked like a real breach, I tried to contact and warn 000Webhost. The company, however, has been almost impossible to engage in any dialogue about a possible breach. Over Monday, Tuesday and Wednesday, FORBES made numerous attempts to contact 000Webhost through its online form – the only obvious way to make contact.

...

Full story on Forbes.
000webhost updated their Facebook page with a statement.

Hello,
We have witnessed a database breach on our main server.

What happened?
A hacker used an exploit in old PHP version to upload some files, gaining access to our systems. Although the whole database has been compromised, we are mostly concerned about the leaked client information.

What did we do about it?
First of all, we removed all illegally uploaded pages as soon as we became aware of the breach. Next, we changed all the passwords and increased their encryption to avoid such mishaps in the future. A thorough investigation to make sure the breach does not exist anymore is in progress.

What do you need to do?
As all the passwords have been changed to random values, you now need to reset them. DO NOT USE YOUR PREVIOUS PASSWORD. PLEASE ALSO CHANGE YOUR PASSWORDS IF YOU USED THE SAME PASSWORD ANYWHERE ELSE.

Client Area Password
Please visit Password Reminder tool athttp://members.000webhost.com/forgot_password.phpand enter your email address, the new password will be sent to your email. Afterwards, login to your account with the new password and manually set a new, secure password athttp://members.000webhost.com/edit_your_details.php

Hosting Account Password
To reset the password for your hosting account (and FTP), visit "Change Account Password" section on control panel and enter a new password there.

Email Account Password
Email account passwords should be changed by visiting "Manage Email Accounts" section and clicking "Change password" for each email account.

MySQL User (Database) Password
MySQL user passwords are managed in "MySQL" section on control panel. In the "Action" field click the "Change Password" and set a new password there.

We apologize for this hassle but it has to be done to ensure your data is safe. We are going to upgrade our systems step by step and will be aiming to be super-careful in future.

Regards
000webhost Team

 

[Digital Phoenix]

Wow

 

[LeadCrow]

The lacklustre security is probably not even the worst part.

If the database was already on sale underground, the password reset was completely pointless unless 000webhost has a way to forcefully expire passwords on stolen databases (on whom the old passwords already dumped would keep working). All it did was cause an inconvenience to active account holders and lock out inactive users while the data thieves (and everyone else acquiring a copy of the database) keep full access.

 

[Digital Phoenix]

One would be to question however, why the hell was a webhost running an outdated and insecure version of php on their main server.

 

[LeadCrow]

That's free hosting's whole business model... fire and forget, not quality service. Once you hooked users, all you need to do is upsell them to paid accounts.

Some are even shady enough to mask big data sale (voluntary or forced) as "hacks" to pose as victims (this way the data can be sold multiple times), although there's also statistically the 'you get to keep your fingers' business proposals.

 

[ozzy47]

One would be to question however, why the hell was a webhost running an outdated and insecure version of php on their main server.

Possibly they know users are running software that is not able to run on newer PHP versions.

 

[LeadCrow]

Or they simply dont care... Since people used software that ran on those old versions, there's no incentive at all to upgrade the server stack. Cheapskates will keep complying with limitations as they are added and changed.

Remember 110mb? It used to be an alright free host, but it kept crippling the stack, then nickeling and diming users until mysql and FTP became paid features.

 

[Digital Phoenix]

Possibly they know users are running software that is not able to run on newer PHP versions.

From what I gathered, this hack was on their primary server where they kept client details, not webaites.
It should have been fully up to date and secure.

 

[Hauyser]

Ah, someones going to get fired over this...

 

[LeadCrow]

I doubt so. The very best news for 00webhosts's owners would be its closure, as it would instantly rid them of otherwise unprofitable liabilities still owed services. They could then focus on their classic paid hosting business, and 'rehire' there any employee no longer filed as employed by 000.

 

[HallofFamer]

Hmm what is the version of PHP on the server that got hacked? And why would this be the cause of password compromise of millions of users?

 

[Danielx64]

Hmm what is the version of PHP on the server that got hacked? And why would this be the cause of password compromise of millions of users?

Well when I was reading their forum (quite sometime ago) I read that all servers are on the same version and that they wouldn't be upgrading php because their control panel wouldn't work on later version.

 

[ozzy47]

Well when I was reading their forum (quite sometime ago) I read that all servers are on the same version and that they wouldn't be upgrading php because their control panel wouldn't work on later version.

So they follow the same road as some software companies. Don't make the software run with the new stuff in the web, take the lazy way out and not do nothing. Real smart.

 

[Danielx64]

So they follow the same road as some software companies. Don't make the software run with the new stuff in the web, take the lazy way out and not do nothing. Real smart.

Correct, and I wouldn't be surprise if phpinfo is dead on (with different hostname) the same on the client servers as well as the control server.

 

[prism.pw]

I had an account there several years ago but it was with old email and a password i have never used before.

 

[cheat_master30]

So they didn't encrypt passwords at all and sent them through the register/login forms via $_GET. Oh god, their knowledge of security is horrendous.

 

[000webhost]

We have witnessed a database breach on our main server. A hacker used an exploit in old PHP version of the website gaining access to our systems, exposing more than 13.5 Million of our customers' personal records. The stolen data includes usernames, passwords, email addresses, IP addresses and names.

We became aware of this issue on the 27th of October and since then our team started to troubleshoot and resolve this issue immediately. We are still working 24/7 in order to identify and eliminate all security flaws. Additionally, we are working on upgrading all of our systems. We will get back to providing the service to our users soon.

At 000webhost our top priority is to provide free quality web hosting for everyone. The 000webhost community is a big family, exploring and using the possibilities of the internet together. For millions of people our services are an opportunity to be present on the internet and learn more about technology.

At Hostinger and 000webhost we are committed to protect user information and our systems. We are sorry and sincerely apologize we didn't manage to live up to that. In an effort to protect our users we have temporarily blocked all access to systems affected by this security flaw. We will re-enable access to affected systems after an investigation and once all security issues have been resolved.

Our user’s sites will stay online and will be fully functional during this investigation. We will fully cooperate with law enforcement authorities. At the same time our internal investigation has been started. We advise our customers to change their passwords and use different passwords for other services.

Our other services such as Hosting24 and Hostinger are not affected by this security flaw and are fully secure and operational.

Contact:

Arnas Stuopelis

CEO, Hostinger

press@hostinger.com

 

[Liam]

We have witnessed a database breach on our main server. A hacker used an exploit in old PHP version of the website gaining access to our systems, exposing more than 13.5 Million of our customers' personal records. The stolen data includes usernames, passwords, email addresses, IP addresses and names.

We became aware of this issue on the 27th of October and since then our team started to troubleshoot and resolve this issue immediately. We are still working 24/7 in order to identify and eliminate all security flaws. Additionally, we are working on upgrading all of our systems. We will get back to providing the service to our users soon.

At 000webhost our top priority is to provide free quality web hosting for everyone. The 000webhost community is a big family, exploring and using the possibilities of the internet together. For millions of people our services are an opportunity to be present on the internet and learn more about technology.

At Hostinger and 000webhost we are committed to protect user information and our systems. We are sorry and sincerely apologize we didn't manage to live up to that. In an effort to protect our users we have temporarily blocked all access to systems affected by this security flaw. We will re-enable access to affected systems after an investigation and once all security issues have been resolved.

Our user’s sites will stay online and will be fully functional during this investigation. We will fully cooperate with law enforcement authorities. At the same time our internal investigation has been started. We advise our customers to change their passwords and use different passwords for other services.

Our other services such as Hosting24 and Hostinger are not affected by this security flaw and are fully secure and operational.

Contact:

Arnas Stuopelis

CEO, Hostinger

press@hostinger.com

1) "exploit in old PHP version" really? I don't think you have to pay to upgrade PHP to a decent version.
2) I read somewhere that the passwords are stored in plaintext. Wow.

Free doesn't mean total and utter disregard for "client" safety. It's not rocket science to hash up a password before storing it. Thanks to you a very old e-mail I have is now enjoyed by a couple of people.

I know this could happen to any company, but those reasons are unacceptable for a hosting service, even though it IS free.