000webhost is one of the most popular free hosting providers out on the Internet. Unfortunately for them and their users, all their 13 million user accounts have had their usernames and passwords leaked through what was eventually revealed to be a database breach via an exploit of a vulnerability in an old version of PHP.

The attacker was able to upload files (presumably a PHP file) and gain access to the web host’s systems, obtaining access to the entire database containing over 13.5 million user details and their password, which shockingly enough were stored in plaintext!

The web host also seemed to be careless in the way it handled user’s credentials. Not only were users’ credentials being passed in the clear, as opposed to being properly encrypted during transit via TLS/SSL, but both the username and password were being sent by means of a GET request as opposed to a POST request upon the creation of a new account. This means that usernames and passwords were passed in URLs, and therefore these passwords reside in all kinds of access and browser history logs.

The breach was uncovered by security researcher Troy Hunt, who gave a full rundown of all the details surrounding the breach and his attempts to contact the web host on his blog.

Breaches such as this one could have been easily prevented with some basic attention to security best-practices. What makes matters worse in this case is that such vulnerabilities are all low-hanging fruit, most of which would have been easily identified with an automated web application security scan.

Ian Muscat

Acunetix developers and tech agents regularly contribute to the blog. All the Acunetix developers come with years of experience in the web security sphere.

  • A message from CEO Arnas Stuopelis about 000webhost data breach.

    We have witnessed a database breach on our main server. A hacker used an exploit in old PHP version of the website gaining access to our systems, exposing more than 13.5 Million of our customers’ personal records. The stolen data includes usernames, passwords, email addresses, IP addresses and names.

    We became aware of this issue on the 27th of October and since then our team started to troubleshoot and resolve this issue immediately. We are still working 24/7 in order to identify and eliminate all security flaws. Additionally, we are working on upgrading all of our systems. We will get back to providing the service to our users soon.

    At 000webhost our top priority is to provide free quality web hosting for everyone. The 000webhost community is a big family, exploring and using the possibilities of the internet together. For millions of people our services are an opportunity to be present on the internet and learn more about technology.

    At Hostinger and 000webhost we are committed to protect user information and our systems. We are sorry and sincerely apologize we didn’t manage to live up to that. In an effort to protect our users we have temporarily blocked all access to systems affected by this security flaw. We will re-enable access to affected systems after an investigation and once all security issues have been resolved.

    Our user’s sites will stay online and will be fully functional during this investigation. We will fully cooperate with law enforcement authorities. At the same time our internal investigation has been started. We advise our customers to change their passwords and use different passwords for other services.

    Our other services such as Hosting24 and Hostinger are not affected by this security flaw and are fully secure and operational.

    Arnas Stuopelis
    CEO, Hostinger

  • Comments are closed.