The free web hosting service, website builder and autoinstaller 000webhost.com announced on Facebook that a hacker had exploited an “old PHP version” the company was using on their 000webhost.com website to breach their main server database. In a statement on their website Arnas Stuopelis, CEO expressed the company’s regrets and apologized for their failure to protect consumer’s user information. The message recommended that its users change their passwords, not to use the same password as previously and that if they had used their password for other sites to change them.
The Facebook message stated that the company, upon learning of the breach, had immediately taken steps to remove all the “illegally uploaded pages” and that 000webhost had changed all passwords and strengthened their encryption to prevent further cyber breaches in the future. To be specific the statement read, “We reset all users passwords in our systems and increased the level of encryption to prevent such issues in the future.” It further read, “We are still working around the clock to identify and eliminate all security flaws. We will get back to providing the free service soon. We are also updating and patching our systems.”
However, analysts in the cybercrime community tell a different story of the breach and have described 000webhost.com’s lack of cyber security nearly criminal in it’s dereliction of duty to its users, that the company’s lack of encryption as “you get what you pay for” and “reckless.” One independent security consultant, Graham Cluley went so far as to say in one blog post, “One has to assume that words such as hashing, salting and encryption are not in their dictionary.” Criticism has been extremely heavy towards 000webhost.com for their lack of availability to its users, failure to provide any direct notice to its customers, and the lack of customer support following the breach
FORBES claims that through a “cursory” look at 000webhost’s site the company has numerous potential security weaknesses and that the site was being run on a platform whose latest release was at best from 2009. Furthermore the usernames and passwords were all stored in plain text, there are, or was no encryption, which would enable any hacker who was able to gain access to communications between 000webhost’s users and the web server to readily steal the login information entered by new registrants, such as username and password.
Storing 13.5 million customer’s usernames and passwords in plain text is unthinkable in today’s climate of cybersecurity crime, not to mention their signup page and makes one wonder just what would possess a company to be so lax with such sensitive customer information. Some in the industry would say that the free 000webhost is just a “hook” endeavor used to lead consumers to their other Hostinger services which are not free, such as hosting24.com, a premium $4.84 per month service which offers a more protected environment with safer and better product services.
Upon pressure from numerous cybersecurity reporting interview requests and consumer demands the following statement was released,
At Hostinger and 000webhost we are committed to protect user information and our systems. We are sorry and sincerely apologize we didn’t manage to live up to that. In an effort to protect our users we have temporarily blocked all access to systems affected by this security flaw. We will re-enable access to affected systems after an investigation and once all security issues have been resolved.
Our users sites will stay online and will be fully functional during this investigation. We will fully cooperate with law enforcement authorities once our internal investigation has been completed. We advise our customers to change their passwords and use different passwords for other services.
We became aware of this issue on the 27th of October and since then our team started to troubleshoot and resolve this issue immediately. We are still working 24/7 in order to identify and eliminate all security flaws. Additionally we are going to upgrade our systems in a close future. We hope we get back the service to our users soon.
Our other services such as Hosting24 and Hostinger are not affected by this security flaw.
Conclusion:
There is something to be said for the caveat “Buyer Beware” in this instance it may be non-buyer beware!
Links For Consumers Affected:
https://members.000webhost.com/helpdesk
Please visit Password Reminder tool athttp://members.000webhost.com/forgot_password.php and enter your email address, the new password will be sent to your email.
Afterwards, login to your account with the new password and manually set a new, secure password at http://members.000webhost.com/edit_your_details.php
Additional Resources About This Breach:
https://www.000webhost.com/000webhost-database-hacked-data-leaked
http://www.forbes.com/sites/thomasbrewster/2015/10/28/000webhost-database-leak/#5392c16517c1
http://www.zdnet.com/article/000webhost-hacked-13-million-customers-exposed/