Get James Bond in here: 13 million account passwords plundered from 000webhost

Unencrypted logins leaked through unpatched PHP hole


Hackers have made off with the names, email addresses, and unencrypted passwords of 13 million accounts at 000webhost, a free web hosting biz.

If anyone hit by the raid has reused a 000webhost password on another website, now's the time to change it.

Troy Hunt of HaveIBeenPwned fame said he has added the email addresses of the hacked accounts to his security breach alert service after a long and difficult back-and-forth with the hosting company over the millions of lost credentials.

Hunt said in a blog post that netizens can check the HaveIBeenPwned site to discover whether they are among the 13,545,468 accounts being circulated for resale.

The Australian said he received a tip-off about the infiltration, and a copy of the account databases, some time ago. He then attempted to privately contact 000webhost to warn it of the intrusion.

Despite having evidence that millions of accounts had been compromised, Hunt says he was unable to get in direct contact with 000webhost's security staff, and was forced instead to wade through the company's unhelpful helpdesk process.

In the meantime, the stolen credentials were being sold for thousands of dollars online, and used to upload dodgy webpages and content to websites, and commit other sorts of mischief.

"The only reason anyone pays for this sort of information is because they expect a return-on-investment; they will gain something themselves from having paid a couple of grand for the credentials," Hunt wrote.

"That may mean exploiting the victims' 000webhost account, but more than likely it also means exploiting their other accounts where they've reused credentials."

Only recently, Hunt said, did 000webhost take any action to address the breach – namely by resetting passwords for user accounts.

"There's only one good reason why an organization does that, and that's because they believe all the passwords have been compromised," Hunt said.

"This was the first clear acknowledgement from 000webhost that they had been breached. Of course this does nothing to protect impacted users' other accounts where they've reused passwords – only communication from 000webhost alerting them to the incident will help with that."

In a Facebook post on Wednesday afternoon, Cyprus-headquartered 000webhost admitted: "A hacker used an exploit in old PHP version to upload some files, gaining access to our systems. Although the whole database has been compromised, we are mostly concerned about the leaked client information.

"We removed all illegally uploaded pages as soon as we became aware of the breach. Next, we changed all the passwords and increased their encryption to avoid such mishaps in the future. A thorough investigation to make sure the breach does not exist anymore is in progress."

People are urged to change the passwords for their FTP accounts, email accounts, and MySQL databases hosted by 000webhost. ®

Similar topics

Narrower topics


Other stories you might like

  • Hackers weigh in on programming languages of choice
    Small, self-described sample, sure. But results show shifts over time

    Never mind what enterprise programmers are trained to do, a self-defined set of hackers has its own programming language zeitgeist, one that apparently changes with the wind, at least according to the relatively small set surveyed.

    Members of Europe's Chaos Computer Club, which calls itself "Europe's largest association of hackers" were part of a pool for German researchers to poll. The goal of the study was to discover what tools and languages hackers prefer, a mission that sparked some unexpected results.

    The researchers were interested in understanding what languages self-described hackers use, and also asked about OS and IDE choice, whether or not an individual considered their choice important for hacking and how much experience they had as a programmer and hacker.

    Continue reading
  • Stolen-data market RaidForums taken down in domain seizure
    Suspected admin who went by 'Omnipotent' awaits UK decision on extradition to US

    After at least six years of peddling pilfered personal information, the infamous stolen-data market RaidForums has been shut down following the arrest of suspected founder and admin Diogo Santos Coelho in the UK earlier this year.

    Coelho, 21, who allegedly used the mistaken moniker "Omnipotent" among others, according to the US indictment unsealed on Monday in the Eastern District of Virginia, is currently awaiting the outcome of UK legal proceedings to extradite him to the United States.

    The six-count US indictment [PDF] charges Coelho with conspiracy, access device fraud, and aggravated identity theft following from his alleged activities as the chief administrator of RaidForums, an online market for compromised or stolen databases containing personal and financial information.

    Continue reading
  • Devil-may-care Lapsus$ gang is not the aspirational brand infosec needs
    Hitting big targets, untouchable, technically proficient. Who will it inspire next?

    Analysis The Lapsus$ cyber-crime gang, believed to be based in Brazil, until recently was best known for attacks on that country's Ministry of Health and Portuguese media outlets SIC Noticias and Expresso.

    However, the gang is climbing up the ladder, swinging at larger targets in the tech industry. Over the past few weeks, those have included Nvidia, Samsung, and Argentine online marketplace operator Mercado Libre. Now, Lapsus$ is suspected of attacking game developer Ubisoft.

    Lapsus$ in February compromised Nvidia, stealing a terabyte of data that included proprietary information and employee credentials, and dumping some of the data online. The crew also demanded the GPU giant remove limits on crypto-coin mining from its graphics cards, and open-source its drivers.

    Continue reading

Biting the hand that feeds IT © 1998–2022