13 Million Users Data Leaked With Plain Text Password Of Free Web Hosting Company 000Webhost.
000webhost is providing a free web hosting service for PHP and MySQL. The leaked data includes users names and e-mail addresses.
Troy Hunt explained in detail about this breach.
According to Forbes Report
Hunt discovered user accounts had their passwords reset, but without any direct notice to customers. When Hunt tried to login with his own email address, an auto-generated response told him his password had been reset by 000Webhost “for security reasons”, advising him to change his credentials before continuing. There was no public notification.
users started to complain on the site forum they could not access FTP servers used to host their website files.
Free WebHost said in Facebook Page
We have witnessed a database breach on our main server.
A hacker used an exploit in old PHP version to upload some files, gaining access to our systems. Although the whole database has been compromised, we are mostly concerned about the leaked client information.
What did we do about it?
First of all, we removed all illegally uploaded pages as soon as we became aware of the breach. Next, we changed all the passwords and increased their encryption to avoid such mishaps in the future. A thorough investigation to make sure the breach does not exist anymore is in progress.
What do you need to do?
As all the passwords have been changed to random values, you now need to reset them. DO NOT USE YOUR PREVIOUS PASSWORD. PLEASE ALSO CHANGE YOUR PASSWORDS IF YOU USED THE SAME PASSWORD ANYWHERE ELSE.
Client Area Password
Please visit Password Reminder tool at http://members.000webhost.com/forgot_password.php and enter your email address, the new password will be sent to your email. Afterwards, login to your account with the new password and manually set a new, secure password at http://members.000webhost.com/edit_your_details.php
Hosting Account Password
To reset the password for your hosting account (and FTP), visit "Change Account Password" section on control panel and enter a new password there.
Email Account Password
Email account passwords should be changed by visiting "Manage Email Accounts" section and clicking "Change password" for each email account.
MySQL User (Database) Password
MySQL user passwords are managed in "MySQL" section on control panel. In the "Action" field click the "Change Password" and set a new password there.
We apologize for this hassle but it has to be done to ensure your data is safe. We are going to upgrade our systems step by step and will be aiming to be super-careful in future.
000webhost Team "