Information about recent security breach(000webhost.com)

[thunderpants]

I just received this email from 000webhost.com:

What happened?

A hacker used an exploit in an old PHP version, that we were using on our website, in order to gain access to our systems. Data that has been stolen includes usernames, passwords, email addresses, IP addresses and names.

Although the whole database has been compromised, we are mostly concerned about the leaked client information.

What did we do about it?

We have been aware of this issue since 27th of October and our team started to troubleshoot and resolve this issue the same day, immediately after becoming aware of this issue.

In an effort to protect our users we have temporarily blocked access to systems affected by this security flaw. We will re-enable access to the affected systems after an investigation and once all security issues have been resolved. Affected systems include our website and our members area. Additionally we have temporarily blocked FTP access, as FTP passwords have been stolen as well.

We reseted all users passwords in our systems and increased the level of encryption to prevent such issues in the future.

We are still working around the clock to identify and eliminate all security flaws. We will get back to providing the free service soon. We are also updating and patching our systems.

What do you need to do?

As all the passwords have been changed to random values, you now need to reset them when the service goes live again.
DO NOT USE YOUR PREVIOUS PASSWORD.
PLEASE ALSO CHANGE YOUR PASSWORDS IF YOU USED THE SAME PASSWORD FOR OTHER SERVICES.

We also recommend that you use Two Factor Authentication (TFA) and a different password for every service whenever possible. We can recommend the Authy authenticator app and the LastPass password manager.

We are sorry

At 000webhost we are committed to protect user information and our systems. We are sorry and sincerely apologize we didn't manage to live up to that.
At 000webhost our top priority remains the same - to provide free quality web hosting for everyone. The 000webhost community is a big family, exploring and using the possibilities of the internet together.
Our leadership team will closely monitor this issue and will do everything possible to earn your trust every day.

Sincerely,
000webhost CEO,
Arnas Stuopelis

[Kalju]

None of normal person will not use such a service. Only cheating and obsolete servers.

I think it could have been a lesson to them, but it seems that it was not.

/* If was born humpbacked, then improves only the tomb. (proverb) */

[straycat19]

NOW they patch and update their systems. They ought to be the subject of a class action lawsuit by all their customers for lack of due diligence and not taking those actions necessary to secure their customers information. Especially since this low class website claims to provide top class web hosting and being an industry leader (in what, number of clients accounts compromised). Can't trust anyone anymore with your data. Anything I really care about securing doesn't have a password but a pass phrase with mixed english and foreign words. But even that doesn't do any good if the site doesn't secure that information. The best you can do if use a different pass phrase on every site so if one gets compromised the others will be safe.

[smallhagrid]

I suggest being attentive to this bit of info, where it says 'free':

At 000webhost our top priority remains the same - to provide free quality web hosting for everyone.

And as a long-time user who is delighted with them i can say that my accounts were not touched during this problem at all.

Anyone who uses a free web hosting service for making profits is confused, I think:

...They ought to be the subject of a class action lawsuit by all their customers...

And it seems most likely that anyone trying to sue a free service would be wasting their time trying to do that.

(Might make some court clerks and lawyers laugh a bit though...!)

Those folks do offer a paid service as well - and it is not via the free site - and it was NOT affected AFAIK.

[SnakeMasteR]

You get what you paid for, this clearly is the case here. :yes:

[Holmes]

No risk the free service was breached not the paid one. A friend of mine has a website created with web.com and they got breached to. If your a web service of any kkind your going to get breached sometime its only a matter of time.

[smallhagrid]

Several posts about this topic - here is another:
http://www.nsaneforums.com/topic/254988-webhost-confirms-multi-million-password-leak/

[SnakeMasteR]

No risk the free service was breached not the paid one. A friend of mine has a website created with web.com and they got breached to. If your a web service of any kkind your going to get breached sometime its only a matter of time.

You didn't understand the phrase. Of course the free service has been breached because they gave a poop about those individuals data, that is exactly what i meant, they paid nothing, so has their data been treated and they got what they paid for - nothing - in terms of security. Basically, getting hacked because of being too lazy to update the software is one thing, being that stupid to even leave all the data stored unencrypted and in plain-text on the server is a joke.

Don't you think that it doesn't really matter if those affected paid for the service or not and that it will affect the overall reputation of 000webhost and all possible users and customers equally?

Why having any trust in what they are doing when they don't do everything possible to protect your data and privacy?

If i had paid for their service, i would move to another webhoster, no matter what, that is what everyone with common sense should do.

[thunderpants]

Well said n0_risk! :)

It's reputation damage.