Hackers put up for sale 13 million plaintext passwords stolen from 000webhost

000webhost, a popular free web hosting service, has suffered a data breach that resulted in the compromise of the name, email address and plaintext password of some 13 million of its customers.

The compromise was publicly disclosed on Wednesday by Troy Hunt, a Microsoft MVP for Developer Security and the creator and administrator of the Have I been pwned? service, where users can check whether their personal data has been leaked somewhere on the web.

He initially got the information about the breach from an anonymous tipster, who pointed him towards the database containing the compromised info.

He immediately started to analyze it, trying to discover whether the information in the database is legitimate. After having had many problems in trying to get in touch with someone at 000webhost who could help him, he made a public plea on Twitter, asking 000webhost users for help.

A few got in touch and confirmed that their email address and password are among the ones in the database.

After news about the possible breach started circulating, another tipster got in touch saying that “The database is selling for upwards of $2,000 right now, I can’t understand which moron would be considering giving you a copy for free when people can make some serious money from this database.”

The truthfulness of this message has later been confirmed by the original tipster, who told Hunt that he would prefer if no one notified 000webhost regarding this because friends of his are making money from the stolen information.

“So consider the ramifications of this: there are potentially 13M people having their details traded for commercial purposes. The only reason anyone pays for this sort of information is because they expect an ROI; they will gain something themselves from having paid a couple of grand for the credentials. That may mean exploiting the victims’ 000webhost account but more than likely it also means exploiting their other accounts where they’ve reused credentials,” Hunt explained.

000webhost finally confirmed the breach on Wednesday afternoon.

“A hacker used an exploit in old PHP version to upload some files, gaining access to our systems. Although the whole database has been compromised, we are mostly concerned about the leaked client information,” they said on their Facebook page, but said nothing about plaintext passwords.

What they did say is that they “changed all the passwords and increased their encryption to avoid such mishaps in the future”, and advised users to change their passwords for the hosting account, email account, and MySQL user database.

“We apologize for this hassle but it has to be done to ensure your data is safe. We are going to upgrade our systems step by step and will be aiming to be super-careful in future,” they concluded.

But, according to Hunt’s analysis of the company’s site, their security practices are very sloppy to begin with, so this promises don’t mean much.

As of Tuesday morning, all 000webhost users who tried to login to the service were urged to change their passwords, which have been reset by the company’s system for security reasons.

Still, no additional explanation of this or a notification about the breach has been sent directly to the users. And the fact that the breach happened approximately five months ago has not been mentioned by the hosting company.

This long period between the breach and its discovery and/or its public acknowledgement has certainly allowed criminals to compromise various accounts of those careless users who used the same password on a number of accounts.

Hunt also pointed out that some other web hosting providers who have probably partnered with 000webhost have possibly been breached, and their stolen information included in the database for sale.