000webhost leaks unencrypted account database

October 29, 2015 | 14:26

Tags: #attack #breach #fraud #insecurity #security #troy-hunt

Companies: #000webhost

Popular free hosting outfit 000webhost has been hit by a massive data breach, which included usernames and unencrypted passwords for its entire 13 million strong user base.

Offering free hosting for websites and MySQL databases, 000webhost has a large customer base - but one it has apparently been doing down, storing their personal details in an unencrypted format. This breach of best practice was revealed earlier today when researcher Troy Hunt, who runs the service Have I Been Pwnd for users to check whether their email addresses are included in large-scale data leaks, received an email with the company's entire 13-million-strong account database. The data shared with Hunt included full names, email addresses, and the account password - all in plain text, requiring no effort on the attackers' part to use.

It's a serious breach, but not the company's first: researching the breach and verifying its legitimacy, Hunt discovered that the member login page is served over an unencrypted connection, that passwords are emailed back to registered users in plain text proving that they're stored in a reversible or clear format, and that user credentials are sent back to the server in an unencrypted URL. In short: the company's security is a mess, and it spent a considerable amount of time ignoring Hunt's attempts to convince them there was a problem - until he went public, at which point individuals suggested the attack itself took place back in March and that copies of the database are being traded for around $2,000 between ne'er-do-wells.

'At Hostinger and 000webhost we are committed to protect user information and our systems. We are sorry and sincerely apologise we didn't manage to live up to that,' the company eventually admitted in a response this morning to Hunt's blog post, after days of denying any issue and deleting Facebook comments enquiring about the breach. 'We became aware of this issue on the 27th of October and since then our team started to troubleshoot and resolve this issue immediately. We are still working 24/7 in order to identify and eliminate all security flaws. Additionally we are going to upgrade our systems in a close future. We hope we get back the service to our users soon.'

'I'm sorry, but this just doesn't stack up,' Hunt replied. 'You knew about "a serious security incident" on October 22 and it's captured in the original ticket to 000webhost in the screen above. The ticket was at this URL which now seems to be broken. Not only did 000webhost know about the incident, but they deliberately deleted comments on Facebook which indicated there might be a problem. Storing credentials in plain text isn't representative of a commitment to protect user information. Neither is passing credentials in the URL and especially not when they're never even handled over HTTPS.

'As far as I know, you still haven't notified customers of the incident. Their credentials which you stored with absolutely zero cryptographic protection are being used to compromise their accounts on other sites and you must notify them; merely resetting their passwords on your system is insufficient. Their data is being sold right now and it's up to you to take responsible action and let them know.

The leak has shades of the recent TalkTalk breach, in which bank and credit card details were accessed after been stored in an unencrypted format - a terrible practice defended by company head Baroness Harding as being outside the legal requirements of the Data Protection Act, which requires only that 'appropriate technical and organisational measures' be taken to protect personal information.
Discuss this in the forums
YouTube logo
MSI MPG Velox 100R Chassis Review

October 14 2021 | 15:04