A security researcher has publicised a five month-old security breach of free web hosting service 000Webhost, after 13m plaintext passwords of its users were discovered online.
Troy Hunt, owner of security site Have I Been Pwned?, received the leaked user data from an unknown source, and after running routine tests confirmed it includes users’ names and email addresses.
After several failed attempts to contact the site to make them aware of the serious breach, Hunt took to social media in an effort to get in touch with anyone with a 000Webhost account.
He confirmed with five 000Webhost users that the list contained the names, passwords, and IP addresses they used to access their accounts on the site.
000Webhost is a free web hosting platform which offers users 1500 MB disk space, 100 GB data transfer and PHP with MySQL database support.
Earlier this week, company officials confirmed the breach, saying it was the result of hackers who exploited an old version of the PHP programming language to gain access to 000Webhost systems.
Its site now reads: “Due to security breach, we have set www.000webhost.com website on maintenance until issues are fixed. Thank you for your understanding and please come back later.”
The site has also reset all user passwords, and has advised them to change their credentials.
However, Hunt acknowledged in a blog post that “this does nothing to protect impacted users’ other accounts where they’ve reused passwords”.
He also documented a number of security issues he uncovered during his investigation into 000Webhost, including the use of unencrypted HTTP communications on the login page.
The Australian researcher also revealed that the database of user data is now selling for more than $2,000.