000webhost hacked, 13 million customers exposed

You get what you pay for, and the same seems to apply to security.
Written by Charlie Osborne, Contributing Writer

Free website hosting service 000webhost has suffered a data breach which has placed the service's security practices under scrutiny.

000webhost is a free web hosting service which supports both PHP and MySQL, catering for millions of users worldwide. On Wednesday, the firm told users in a Facebook message that the company had suffered a databreach on its main server.

A hacker used an exploit in an old, unpatched version of PHP to upload malicious files and gain access to the service's systems. Not only was the full database containing the usernames, passwords and email addresses compromised, but this information has been dumped online.

000webhost said it removed all the malicious uploads once they became aware of the breach, and "changed all the passwords and increased their encryption to avoid such mishaps in the future."

An interesting statement to make, as Troy Hunt, Microsoft MVP for Developer Security and the owner of Have I been pwned notes the record dump contained plain text passwords. If services do not at least hash stored passwords, attackers do not need to do anything beyond steal them to use them.

As a result, if these passwords are used on any other services, users should change them as soon as possible. 000webhost has also asked users to change their account passwords following a site-wide reset, but at the time of writing the website is down for repairs and there is nothing customers can do at present.

Hunt also notes the member area is anything but secure, and little seems to have been done to improve security -- especially as the breach reportedly took place in March this year.

Security disclosure service XSSposed has an open ticket for the data breach detailing the vulnerability which may have been the root cause of the cyberattack. On 26 October, a researcher reported a cross-site scripting vulnerability on 000webhost.com -- joining another six vulnerabilities reported by security teams -- which is still unpatched, placing users at risk.

"We apologize for this hassle but it has to be done to ensure your data is safe. We are going to upgrade our systems step by step and will be aiming to be super-careful in future," the 000webhost team says.

"Hassle" is a weak word to describe such a serious data breach, but the security breakdown does remind us that you get what you pay for -- but while you can't necessarily expect top-notch security for a free service, there are others -- such as Facebook and Twitter -- which do make consumer security a priority.

More importantly, the lesson may hit home that to keep your digital identity as safe as possible, you should make sure you use different passwords for online services.

10 things you didn't know about the Dark Web

Read on: Top picks

Editorial standards