More than 13 million unencrypted passwords stolen
October 29, 2015
We’re not sure how this happened in today’s day and age where encrypting your customers data is so EASY but it has.
000webhost has confirmed that around 13.5 million users of it’s free web hosting service, owned by UK company Hostinger, were stolen in a massive data breach that occurred on it’s main server.
A report from Troy Hunt tells us that they were storing their users data in plain text, with no encryption whatsoever.
In a Facebook post they stated that, in follow up to this data breach, they “removed all illegally uploaded pages as soon as we became aware of the breach. Next, we changed all the passwords and increased their encryption to avoid such mishaps in the future. A thorough investigation to make sure the breach does not exist anymore is in progress.”
So now, they have reset everyone’s password (a clear indication that the whole database was breached) and are encrypting their users data. We really are not sure why this wasn’t happening in the first place. It’s… just… really baffling to us.
According to a tip off that Hunt received, this breach happened five months ago. He got tipped off because he runs the service Have I been pwned? which “allows people to discover where their personal data has been compromised on the web,“ but only after the news has hit public airways, like the Ashley Madison breach. In this case he made an exception due to the enormity of this breach and the fact that it was just… so stupid. Plain text passwords!? Seriously, who does that anymore!
Reading Hunt’s report you get a very clear idea of how difficult it is for him to even contact 000webhost and let them know about this massive security breach that he’s been tipped off about. Even now, after notifying their customers, they have not replied to Hunt – six days after he became aware and told them of the breach!
The whole thing is seriously messy, and we’re glad that it’s been dealt with. Hopefully nothing untoward comes from this, but with the breached data selling for over $2,000 US it’s clear that these users information will be used for commercial purposes.
A word to the wise:
Security is important folks, and this is why free web hosting is dangerous because while the shiny price-tag of nothing looks good – it can come at a very great cost. Don’t risk it, pay for your web hosting.