A lone security researcher has discovered a trove of data containing more than 13 million plaintext passwords that belong to users of 000WebHost, the world’s largest free web hosting company.
Data contained in the leak includes users’ personal names and email addresses, which was discovered by Troy Hunt, an Australian security researcher and the operator of the famous website, Have I Been Pwned?, a service that aids users to see if their personal data was compromised or stolen in past and recent breaches. Hunt received word from an unknown source, claiming the hack occurred more than five months ago.
Thus far, Hunt has confirmed that five names apart of the breach are active users, and data obtained in the leak includes names, passwords and a list of IP addresses customers used to access 000WebHost.
“By now there’s no remaining doubt that the breach is legitimate and that impacted users will have to know,” he explained in a blog post published Wednesday. Hunt says he has notified proper company officials and tried to get them to publicly warn users that their passwords were exposed in plaintext. Thus far, all that has happened is users who login are notified their password has been reset “by 000Webhost system for security reasons.”
Hours after Troy’s article went live, 000WebHost finally confirmed the breach in a Facebook post, saying it was a result of hackers exploiting an old version of the PHP programming language, and was abused to gain access to 000WebHost systems. However, the warning makes no reference to passwords being exposed in plaintext, though it does advise users to change their password. Evidence suggesting that the breach may have extended beyond 000WebHost to other web hosting providers exists, Hunt says, presumably due to partnerships with the company.
Hunt says he has encountered a number of security weaknesses when browsing the 000WebHost website, specifically using unencrypted HTTP communications on the login page, and even an error that placed users passwords in plaintext in the URL result. Due to the poor security on web host itself, it can be presumed the company didn’t follow standard practices such as cryptographically hashing user passwords when stored. Another scenario exists, where hackers could have exploiting the site via an SQL injection, gaining access to privileges 000WebHost systems.
The recent 000WebHost hack is sizable, affecting some 13 million users, however quite small compared to recent data breaches attacking monstrous corporations. Such as the recent breach of affair website Ashley Madison, affecting a whopping 34 million users. In hindsight, those passwords were encrypted, yet due to an error some 11 million were able to be decrypted. Though passwords were cracked, the fact that they were encrypted for a small period of time gave users well enough time to change their passwords, unlike the 000WebHost hack, coming out of the gates with 13 million plaintext passwords.
All 000WebHost users should change their password immediately and keep an eye on their account. In the event that users reused the same password on other sites, those passwords should be changed as well. Now that passwords have been leaked, attackers can try and abuse the credentials on other sites, possibly compromising more than just your 000WebHost account.