Webhost confirms multi-million password leak

[Batu69]

Slack security at 000webhost blamed.

Popular free web hosting service 000webhost has owned up to a massive data breach that saw unencrypted login credentials for more than 13.5 million users leaked online.

000webhost, which is based in Lithuania and owned by UK company Hostinger, wrote on its Facebook page that a database breach had occurred on its main server.

"A hacker used an exploit in old PHP version to upload some files, gaining access to our systems. Although the whole database has been compromised, we are mostly concerned about the leaked client information," the company posted.

000webhost apologised to users and said it had reset all passwords on the site as well as "increased encryption to avoid such mishaps in the future".

The 000webhost user credentials database appeared to have been intercepted around five months ago, according to security researcher Troy Hunt.

Hunt was given a tip-off about the database and confirmed it contained full user details including first and last names, email addresses and passwords.

The database is in clear-text, with the passwords of 13.5 million users stored unencrypted, Hunt noted.

Hunt was contacted by an unnamed person who claimed the database is being traded for "upwards of US$2000" on the internet.

He added the 13,545,468 000webhost user email addresses to his Have I been pwned service to allow people who used the provider to check if their details have been leaked.

Source

[smallhagrid]

Just my 2.5 cents:

I've used 000webhost for years already;

It has never cost me a dime, and I do nothing there that is sensitive - so its all good.

For getting a free hosting and (sub)domain, especially to use for disposable emails, it is the best, of the ones I've ever used, I think.

So I can forgive if they give away not-the-best or most secure services for zero charge !!

PS - I used the above linked tool & it says this:

Good news — no pwnage found!

Thanks Batu69.