The personal records of at least 13.5 million of its users have been exposed. Compromised data consists of personally identifiable information such as:
- Email addresses;
- IP addresses;
- Last names.
The story was reported by Forbes’s Thomas Fox-Brewster and is quite horrible, to say the least. It all began several months ago. In March 2015, Brewster was contacted by Troy Hunt, a Microsoft MVP, who is the inventor and owner of haveibeenpwned.com – a website that ‘swallows’ email addresses from major data breaches. Thanks to the service, users can check if they’d been breached too. The MVP explained that he’d been reached by an anonymous source who gave him a database supposedly belonging to 000Webhost.
The database encompassed millions of users and their login credentials. The two then checked various emails to determine whether they were real or not. As you may have suspected already, the email addresses turned out to be valid. To determine that, they attempted to sign in new accounts with the breached emails, and received auto-generated responses, saying that the emails were already in use.
Moreover, Hunt himself discovered that his email address was included in the database. Someone had registered an account in his name. You may wonder how this was possible. Well, as it turned out, 000WebHost didn’t employ any validation using the email.
So, did 000WebHost confirm the major user data catastrophe? Yes.
The company published a post on its official Facebook page:
→”We have witnessed a database breach on our main server. A hacker used an exploit in old PHP version to upload some files, gaining access to our systems. Although the whole database has been compromised, we are mostly concerned about the leaked client information.”
000Webhost also explained what actions they took to fix the breach:
→”First of all, we removed all illegally uploaded pages as soon as we became aware of the breach. Next, we changed all the passwords and increased their encryption to avoid such mishaps in the future. A thorough investigation to make sure the breach does not exist anymore is in progress.”
In addition, they advised their users to change their passwords:
→”As all the passwords have been changed to random values, you now need to reset them. DO NOT USE YOUR PREVIOUS PASSWORD. PLEASE ALSO CHANGE YOUR PASSWORDS IF YOU USED THE SAME PASSWORD ANYWHERE ELSE.”
000Webhost’s Security is Shaky
The conclusion that the company hasn’t thought of its security in advance only comes natural. On top of that conclusion, Hunt also warned that the leaked database may have been for sale on unspecified forums for $2,000, as he was informed by another source.
The hosting company will also have to address the fact that its website was carrying multiple security weaknesses that could be easily exploited by hackers. According to Forbes, the 000Webhost forum employed an old, vulnerable platform – vBulletin Version 3.8.2, released in 2009. The latest version of the platform is 5.1.9. It’s a mystery why the forum platform hadn’t been updated since 2009.
There’s even more. The research by Forbes revealed that the usernames and passwords were all stored in plain text, and that the signup page wasn’t protected by encryption. Any person with even the slightest knowledge could have intercepted the communication between the user and the server.