000webhost Penetrated: 13 Million Plaintext Passwords Compromised

It's been said before but it bears repeating that if you're not paying for a service, you are the service. Furthermore, if you are the service, you get what you pay for, which in the realm of digital security, means that free-loaders are free-basing if they think that their data is in any way secure.

Which brings us to today's episode of "no one could've predicted", where 000webhost.com (archived), an online web service advertising "free" PHP and MySQL hosting with up to 1.5 gigabytes of storage and 100 gigabytes of traffic, has been revealed to be storing user credentials, including plaintext passwords, in the URL, as well as generally neglecting even rudimentary uses of cryptography to protect user information and content. This investigation came after the exceedingly mild-mannered, if persistent, "security researcher" Troy Hunt (archived), was tipped off to the data breach by an unnamed contact, a breach which itself contained full names, usernames, passwords, email addresses, and IP addresses. Interestingly, while Hunt has added the 13,545,468 email addresses to his own free service, the searchable database Have I Been Pwned? (archived), he has a personal policy of not publicly sharing the precise contents of data breaches with the general public.

However, it can still be determined that the magnitude of the gross and insipid incompetence of the 000webhost team1 raises the bar for obscurantist obstinacy, a bar that wasn't particularly low after the recent FetLife and Ashley Madison embarrassments.


  1. and that of parent company Hostinger (archived)  

4 thoughts on “000webhost Penetrated: 13 Million Plaintext Passwords Compromised

  1. A message from CEO Arnas Stuopelis about 000webhost data breach.

    We have witnessed a database breach on our main server. A hacker used an exploit in old PHP version of the website gaining access to our systems, exposing more than 13.5 Million of our customers' personal records. The stolen data includes usernames, passwords, email addresses, IP addresses and names.

    We became aware of this issue on the 27th of October and since then our team started to troubleshoot and resolve this issue immediately. We are still working 24/7 in order to identify and eliminate all security flaws. Additionally, we are working on upgrading all of our systems. We will get back to providing the service to our users soon.

    At 000webhost our top priority is to provide free quality web hosting for everyone. The 000webhost community is a big family, exploring and using the possibilities of the internet together. For millions of people our services are an opportunity to be present on the internet and learn more about technology.

    At Hostinger and 000webhost we are committed to protect user information and our systems. We are sorry and sincerely apologize we didn't manage to live up to that. In an effort to protect our users we have temporarily blocked all access to systems affected by this security flaw. We will re-enable access to affected systems after an investigation and once all security issues have been resolved.

    Our user’s sites will stay online and will be fully functional during this investigation. We will fully cooperate with law enforcement authorities. At the same time our internal investigation has been started. We advise our customers to change their passwords and use different passwords for other services.
    Our other services such as Hosting24 and Hostinger are not affected by this security flaw and are fully secure and operational.

    Contact:
    Arnas Stuopelis
    CEO, Hostinger
    press@hostinger.com

    • Tellingly, the string "plaintext passwords" does not appear in your regurgiation. That you fail AGAIN in predictable ways after having just failed in the amusingly predictable way of plaintext passwords is indicative of the plain fact that you, as a group, and each and every single person involved, from the drone going around pasting this inane shit to the purported CEO of the whole charade, have no business whatsoever being in business.

      Off to the kitchen with the lot of you, spend your remaining years raising some woman's children by another man. Quietly.

    • Do you even bcrypt?

    • This ad, brought to you by our dear leader, the CEO:

      Our service, built from the ground up with security in mind using state-of-the-art ROT13 has been effected by an unexpected security flaw encountered in the algorithm. Rest assured Serious Cat takes the quality of our service very seriously, and is seriously working much very hard, carrying out an internal meowestigation, while cooperating with law enforcement, to fix it. Cow in mind that there's no such thing as secure software, there are always accidental bugs and oversights, so impossibru to avoid these security issues. But we are very sorry and apologise.

      We advise our users to update the antivirus, enable 2FA, and make sure they have the latest Windows fully patched to insure that they will be very safe.

      –The CEO

Leave a Reply to William Dunne Cancel reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>