13 Million Passwords Leaked from 000Webhost Breach

An independent security researcher has discovered a massive trove of 13 million plaintext passwords belonging to users of the free web-hosting service 000Webhost.

The leaked data also includes users’ personal details such as emails and real names, in a massive dump of plaintext passwords discovered by Australian researcher Troy Hunt. Hunt runs the website ‘Have I Been Pwned?,’ a service that helps users find out if their personal data has been leaked in previous website breaches.

It’s ostensibly due to Hunt operating such a website that a yet-unknown user reached out to the researcher and provided him with the data that was apparently attained from a breach affecting 000Webhost from five months ago.

In a blog post, Hunt confirmed that he has cross-referenced five people’s details from the list and the names, passwords and IP addresses all matched, confirming that the breach is indeed legitimate with the leak 13 million plaintext passwords.

000webhost is a free hosting service for PHP and MySQL that does not secure its members’ login area with encryption, Hunt notes and furthermore, the hosting provider also delivers the password used by a new member to sign up in a confirmation email, in plaintext.

A Facebook post by the free web hosting provider admitted to the breach after word quickly spread. An excerpt from the post read:

A hacker used an exploit in old PHP version to upload some files, gaining access to our systems. Although the whole database has been compromised, we are mostly concerned about the leaked client information.

The web hosting provider also contends that all uploaded pages that contained the passwords were deleted and subsequently, every password belonging to tens of millions of users has since been reset.

It’s likely that the data breach may have occurred due to the execution of an SQL Injection exploit, a common attack method used on websites with substandard encryption practices.

LIFARS recommends any readers who are using or may have previously used 000Webhost to change their passwords elsewhere, if similar to that on the web hosting provider. Once that’s done with, it’s good practice to come up with a cryptographically secure and yet simple password, which this 11-year old shows here.