The part that is interesting is how it must have happened. The passwords had been stored in plain text!
Forbes.com Wrote:Regardless of what happened to the hosting firm, a cursory look at the site shows it’s carrying a number of potentially exploitable security weaknesses. FORBES found the 000Webhost forum site ran off an old, vulnerable platform: vBulletin Version 3.8.2. That version was released in 2009. The latest and likely most secure version is 5.1.9.
Whilst the usernames and passwords are all stored in plain text, the signup page is not protected by web encryption either, meaning any hacker able to intercept communications between the user and the web server can quickly grab the login details entered by fresh registrants. And, when signing up for a 000Webhost account, the username and password are spelt out in plaintext in the address bar, meaning anyone with access to the website logs would have access to the credentials too.
“Many things surprised me about this incident, not least of which was just how hard it was to get in touch with 000Webhost. As of now, I’ve still had no response about the breach report itself even though they’ve clearly acknowledged it by resetting everyone’s passwords,” said Hunt.
“I never cease to be amazed at just how badly wrong an organisation can get security. It was only this week we learned of the TalkTalk attack having been carried out by a 15-year-old using free tools, now we’re seeing how 000Webhost stored over 13 million passwords in plain text which is simply unforgivable.”
000Webhost evidently went with the cheap and easy sell when it launched in 2007. It decided to forego security measures, promising better protections, including web encryption, for those who signed up to premium accounts on hosting24.com. But that decision could well have cost a vast number of users’ their private data.
Anyone who believes they are affected can check if their 000Webhost logins were leaked by using Hunt’s haveibeenpwned.com site, which, depressingly, has collected records of 226,449,378 leaked accounts to date. If your name is in there, get changing those passwords and maybe think about using hosting services with better promises on security.
What is particularly interesting to me is that about three years ago I came across a hacker tutorial that recommended 000Webhost.com for an ideal host for creating those famous single hacker pages. Can't help but wonder how many hackers' have been hacked as well.
