Get James Bond in here: 13 million account passwords plundered from 000webhost

Unencrypted logins leaked through unpatched PHP hole

Hackers have made off with the names, email addresses, and unencrypted passwords of 13 million accounts at 000webhost, a free web hosting biz.

If anyone hit by the raid has reused a 000webhost password on another website, now's the time to change it.

Troy Hunt of HaveIBeenPwned fame said he has added the email addresses of the hacked accounts to his security breach alert service after a long and difficult back-and-forth with the hosting company over the millions of lost credentials.

Hunt said in a blog post that netizens can check the HaveIBeenPwned site to discover whether they are among the 13,545,468 accounts being circulated for resale.

The Australian said he received a tip-off about the infiltration, and a copy of the account databases, some time ago. He then attempted to privately contact 000webhost to warn it of the intrusion.

Despite having evidence that millions of accounts had been compromised, Hunt says he was unable to get in direct contact with 000webhost's security staff, and was forced instead to wade through the company's unhelpful helpdesk process.

In the meantime, the stolen credentials were being sold for thousands of dollars online, and used to upload dodgy webpages and content to websites, and commit other sorts of mischief.

"The only reason anyone pays for this sort of information is because they expect a return-on-investment; they will gain something themselves from having paid a couple of grand for the credentials," Hunt wrote.

"That may mean exploiting the victims' 000webhost account, but more than likely it also means exploiting their other accounts where they've reused credentials."

Only recently, Hunt said, did 000webhost take any action to address the breach – namely by resetting passwords for user accounts.

"There's only one good reason why an organization does that, and that's because they believe all the passwords have been compromised," Hunt said.

"This was the first clear acknowledgement from 000webhost that they had been breached. Of course this does nothing to protect impacted users' other accounts where they've reused passwords – only communication from 000webhost alerting them to the incident will help with that."

In a Facebook post on Wednesday afternoon, Cyprus-headquartered 000webhost admitted: "A hacker used an exploit in old PHP version to upload some files, gaining access to our systems. Although the whole database has been compromised, we are mostly concerned about the leaked client information.

"We removed all illegally uploaded pages as soon as we became aware of the breach. Next, we changed all the passwords and increased their encryption to avoid such mishaps in the future. A thorough investigation to make sure the breach does not exist anymore is in progress."

People are urged to change the passwords for their FTP accounts, email accounts, and MySQL databases hosted by 000webhost. ®


Biting the hand that feeds IT © 1998–2017