Web Host Data Breach Cost 13M Users Their Passwords

The usernames and passwords of millions of users of Lithuanian web hosting company 000webhost may have been compromised as the result of a recent data breach.

Forbes reported the possible leak yesterday (Oct. 28) after following up on a lead gathered from an anonymous source who had access to what was believed to be 000webhost’s database, which contained the usernames and passwords of more than 13.5 million users.

While remaining initially unresponsive to Forbes’ repeated attempts throughout the week to get in contact with someone at the company to warn them of the potential leak, 000webhost eventually admitted to the breach on its Facebook page yesterday.

“We have witnessed a database breach on our main server,” the company said in a post.

“A hacker used an exploit in old PHP version to upload some files, gaining access to our systems. Although the whole database has been compromised, we are mostly concerned about the leaked client information,” 000webhost said.

“We removed all illegally uploaded pages as soon as we became aware of the breach. Next, we changed all the passwords and increased their encryption to avoid such mishaps in the future. A thorough investigation to make sure the breach does not exist anymore is in progress … We apologize for this hassle, but it has to be done to ensure your data is safe. We are going to upgrade our systems step by step and will be aiming to be super careful in future,” the statement continued.

While the details surrounding the data breach are still unclear, many are putting the blame on 000webhost for its lack of security measures to safeguard the sensitive information of its users.

“I never cease to be amazed at just how badly wrong an organization can get security. It was only this week we learned of the TalkTalk attack having been carried out by a 15-year-old using free tools. Now we’re seeing how 000webhost stored over 13 million passwords in plain text, which is simply unforgivable,” Troy Hunt, a cybersecurity professional and owner of the website haveibeenpwned.com, which allows users to check to see if their email address has been compromised from significant breaches.

Hunt, who was responsible for bringing the breach to Forbes’ attention after being contacted by an anonymous source, also expressed frustration with 000webhost’s initial lack of response and acknowledgement of the breach report.

To check out what else is HOT in the world of payments, click here.