000webhost is one of the most popular free hosting providers out on the Internet. Unfortunately for them and their users, all their 13 million user accounts have had their usernames and passwords leaked through what was eventually revealed to be a database breach via an exploit of a vulnerability in an old version of PHP.

The attacker was able to upload files (presumably a PHP file) and gain access to the web host’s systems, obtaining access to the entire database containing over 13.5 million user details and their password, which shockingly enough were stored in plaintext!

The web host also seemed to be careless in the way it handled user’s credentials. Not only were users’ credentials being passed in the clear, as opposed to being properly encrypted during transit via TLS/SSL, but both the username and password were being sent by means of a GET request as opposed to a POST request upon the creation of a new account. This means that usernames and passwords were passed in URLs, and therefore these passwords reside in all kinds of access and browser history logs.

The breach was uncovered by security researcher Troy Hunt, who gave a full rundown of all the details surrounding the breach and his attempts to contact the web host on his blog.

Breaches such as this one could have been easily prevented with some basic attention to security best-practices. What makes matters worse in this case is that such vulnerabilities are all low-hanging fruit, most of which would have been easily identified with an automated web application security scan.

Ian Muscat

Ian Muscat used to be a technical resource and speaker for Acunetix. More recently, his work centers around cloud security and phishing simulation.