One of the most popular free hosting services, 000WebHost, a free web hosting provider based in Lithuania, has been hacked, and the details of over 13.5 million user accounts have been stolen.
The hack was discovered by Australian security researcher Troy Hunt. Hunt announced on the 28th October that he had found over 13.5 million sets of details, which included plain text passwords, usernames, IP addresses and email addresses. What is even more worrying is that the hack dates back to a breach at 000WebHost w back in March this year.
By the time Hunt became aware of the breach via an anonymous source the database was selling for over $2000. Hunt tried to contact 000WebHost for four days to inform them of the breach but was unsuccessful, and eventually got Thomas Fox-Brewster at Forbes to assist.
Fox-Brewster also did not have much success contacting the company. He did some digging and discovered that 000Webhost and 24hosting.com are both owned by the parent company Hostinger. Despite trying to contact someone in authority via 24hosting.com, he was ultimately unsuccessful.
The attempts to contact 000Webhost make for a story in its own right and you can read all the detail about the lengths they took to get in touch here (Hunt) and here (Fox-Brewster). It is quite worrying just how difficult it was to speak to someone in authority at the hosting provider.
How did the 000WebHost Hack Happen?
000WebHost confirmed in a post on Facebook that the breach was due to the hackers exploiting an old PHP version that they were using on their website. That being said Fox-Brewster noticed some security weaknesses at the company during his investigations. The main issue was around how the login details were entered and stored:
- The usernames and passwords were stored in plain text
- The sign up page was not encrypted meaning any hacker could intercept communications between the user and server
- When signing up for a new account the username and password were shown in plain text. This means anyone with access to website logs would have access.
Not only that, but the forum 000WebHost used was running off vBulletin Version 3.8.2. The latest version is 5.1.9. As a result, there is likely to be many vulnerabilities there.
What do you need to do?
One of the most common ways for hackers to compromise an account you own is to brute force the password. If a hacker has obtained millions of user \ password combinations it can check thousands of combinations a minute, and in many cases eventually successful.
If you couple the fact that hackers have been trading 13.5 million of these user \ password combinations and that many people will use the same credentials for multiple websites you can see the problem.
Therefore, if you have ever had a 000WebHost account and used the same password elsewhere, then it is highly recommended you change the password everywhere it is used.
Also, we recommend you never use the same password twice. We would recommend using something like LastPass to create and store some very complex passwords.
We already mentioned the announcement made on Facebook, but 000WebHost also sent an email to all users of their service. We made a free account some 5 or 6 years ago just to take a look. We, therefore, know that they have been very comprehensive in sending it to all current and past users.
We have included the announcement below, as it contains some useful information and an apology:
A hacker used an exploit in an old PHP version, that we were using on our website, in order to gain access to our systems. Data that has been stolen includes usernames, passwords, email addresses, IP addresses and names.
Although the whole database has been compromised, we are mostly concerned about the leaked client information.
What did we do about it?
We have been aware of this issue since 27th of October and our team started to troubleshoot and resolve this issue the same day, immediately after becoming aware of this issue.
In an effort to protect our users we have temporarily blocked access to systems affected by this security flaw. We will re-enable access to the affected systems after an investigation and once all security issues have been resolved. Affected systems include our website and our members area. Additionally we have temporarily blocked FTP access, as FTP passwords have been stolen as well.
We reseted all users passwords in our systems and increased the level of encryption to prevent such issues in the future.
We are still working around the clock to identify and eliminate all security flaws. We will get back to providing the free service soon. We are also updating and patching our systems.
What do you need to do?
As all the passwords have been changed to random values, you now need to reset them when the service goes live again. DO NOT USE YOUR PREVIOUS PASSWORD. PLEASE ALSO CHANGE YOUR PASSWORDS IF YOU USED THE SAME PASSWORD FOR OTHER SERVICES.
We also recommend that you use Two Factor Authentication (TFA) and a different password for every service whenever possible. We can recommend the Authy authenticator app and the LastPass password manager.
We are sorry
At 000webhost we are committed to protect user information and our systems. We are sorry and sincerely apologize we didn’t manage to live up to that. At 000webhost our top priority remains the same – to provide free quality web hosting for everyone. The 000webhost community is a big family, exploring and using the possibilities of the internet together. Our leadership team will closely monitor this issue and will do everything possible to earn your trust every day.
Sincerely, 000webhost CEO, Arnas Stuopelis
Also, 000Webhost provided a statement to Fox-Brewster at Forbes stating:
Our users sites will stay online and will be fully functional during this investigation. We will fully cooperate with law enforcement authorities once our internal investigation has been completed. We advise our customers to change their passwords and use different passwords for other services.
We became aware of this issue on the 27th of October and since then our team started to troubleshoot and resolve this issue immediately. We are still working 24/7 in order to identify and eliminate all security flaws. Additionally we are going to upgrade our systems in a close future. We hope we get back the service to our users soon.
“Our other services such as Hosting24 and Hostinger are not affected by this security flaw.
One of the most important points in this statement is that their other brands were not affected by the hack.