back to article Get James Bond in here: 13 million account passwords plundered from 000webhost

Hackers have made off with the names, email addresses, and unencrypted passwords of 13 million accounts at 000webhost, a free web hosting biz. If anyone hit by the raid has reused a 000webhost password on another website, now's the time to change it. Troy Hunt of HaveIBeenPwned fame said he has added the email addresses of …

  1. This post has been deleted by its author

  2. Your alien overlord - fear me

    If he had a copy of the database, why did he also need 000webhost to give him the same info to fill his database? Something smells fishy with this large database of compromised users from around the world. How much would a hacker make if they broke in to HaveIBeenPwned?

    1. Anonymous Bullard

      I'm guessing he's just storing the hashes of the usernames and email addresses... plus the data is already available.

    2. aaronullger


      A hacker would make nothing because the information Troy Hunt hosts on haveibeenpwned only contains usernames & emails from the breach, he may have the databases himself but they are nowhere uploaded on the HIBP server.

      1. Robert Helpmann??

        Re: HaveIBeenPwned

        A hacker would ... [only get] usernames & emails from the breach.

        So that would be verified information that could be used in phishing, DOS and other attacks? Perhaps it's low hanging fruit, but it is rather nice to have all in one place.

    3. Richard Parkin

      @alien overlord. He was not asking for information (he already had the list) but was trying to alert them to the breach.

    4. Velv

      Please go and read Troy Hunts blog about the formation, build and maintenance of haveibeenpawned. Since he gets paid for his knowledge of IT Security he does know a thing or two. I'm not suggesting it's perfect, but it does layers properly.

  3. okubax

    Have an account with them so not surprised to see my username pop up on the pwned website. So they reset all passwords with 'still' zero communication to their users about the breach.

    They have this notice on the log-in page for members: "Important! Due to security breach, we have set website on maintenance until issues are fixed. Thank you for your understanding and please come back later."


  4. Doctor Syntax Silver badge

    "We removed all illegally uploaded pages as soon as we became aware of the breach. Next, we changed all the passwords and increased their encryption to avoid such mishaps in the future. A thorough investigation to make sure the breach does not exist anymore is in progress."

    Translation: we bolted the stable door.

    1. Steven Raith

      "increased their encryption"

      Translates to:

      "We ran the plaintext passwords through an MD5 hash"

      Steven R

  5. Destroy All Monsters Silver badge

    Meanwhile, in Goldhacker's lair...

    Agent BOND has been shibari-ed to a PLATFORM OF EXTERMINATION and is basically awaiting his fate.

    GOLDHACKER: "Yes, Mr. Bond. All passwords downloaded via a simple exploit, rainbow-tabled and indexed. A trivial hack, enabled by third-rate coders. It's human nature, Mr Bond. Inevitable."

    BOND [STRAINING]: "I don't understand, Goldhacker! Do you expect me to believe this kind of thing will go on forever?"

    GOLDHACKER: "No Mr. Bond. I don't expect you to understand. I expect you ... to die!"

    [GOLDHACKER turns to leave but then whips around]

    GOLDHACKER: "By the way. Nice password, Mr. Bond."

    [GOLDHACKER shows BOND a printout with the clearly written text: "007"]

  6. David Roberts


    .......a free website hosted in Cyprus (or at least owned there) and the users expect security?

    But it was free!!!!

    1. harmjschoonhoven

      Re: Ummmm........

      ..... with admin address (or POB) in Scottsdale Arizona, somewhere between Danny's Family Car Wash and Jenny Craig Weight Loss Center.

      May be they robbed the bank themselves. At least there is nothing that contradicts that there was no outside hacker involved.

  7. Pascal Monett Silver badge

    Ah, PR disaster handling

    Cyprus-headquartered 000webhost admitted: "A hacker used an exploit in old PHP version to upload some files, gaining access to our systems. Although the whole database has been compromised, we are mostly concerned about the leaked client information.

    "We removed all illegally uploaded pages as soon as we became aware of the breach. Next, we changed all the passwords and increased their encryption to avoid such mishaps in the future. A thorough investigation to make sure the breach does not exist anymore is in progress."

    What they actually said is that they made their website ages ago and never updated it, so they were thoroughly pwned. Now, they are pretending to do something to cover the issue.

    The investigation is simple : an old PHP exploit should not be allowed to exist on an ISP's website. An ISP should be well aware of best practices and apply them rigorously.

  8. The Infamous Grouse

    I had a temporary account with these clowns about a year ago. Alarm bells began to ring when I saw the poor quality of their admin pages, then clanged almightily when I tried to delete the account. Despite trying every automatic option, and emailing "support", the login continued to work and the files I'd uploaded remained stubbornly present. In the end I deleted the folder structure file by file until only a skeleton remained before abandoning the account. Sure enough, that account is one of those leaked. Fortunately the password was random and unique, and even the email address was for a domain I no longer own.

    I guess at the end of the day you get what you pay for. Cold comfort to those whose credentials have leaked, especially those people (unfortunately all too numerous) who use the same password in multiple places.

  9. 000webhost

    A message from CEO Arnas Stuopelis about 000webhost data breach.

    We have witnessed a database breach on our main server. A hacker used an exploit in old PHP version of the website gaining access to our systems, exposing more than 13.5 Million of our customers' personal records. The stolen data includes usernames, passwords, email addresses, IP addresses and names.

    We became aware of this issue on the 27th of October and since then our team started to troubleshoot and resolve this issue immediately. We are still working 24/7 in order to identify and eliminate all security flaws. Additionally, we are working on upgrading all of our systems. We will get back to providing the service to our users soon.

    At 000webhost our top priority is to provide free quality web hosting for everyone. The 000webhost community is a big family, exploring and using the possibilities of the internet together. For millions of people our services are an opportunity to be present on the internet and learn more about technology.

    At Hostinger and 000webhost we are committed to protect user information and our systems. We are sorry and sincerely apologize we didn't manage to live up to that. In an effort to protect our users we have temporarily blocked all access to systems affected by this security flaw. We will re-enable access to affected systems after an investigation and once all security issues have been resolved.

    Our user’s sites will stay online and will be fully functional during this investigation. We will fully cooperate with law enforcement authorities. At the same time our internal investigation has been started. We advise our customers to change their passwords and use different passwords for other services.

    Our other services such as Hosting24 and Hostinger are not affected by this security flaw and are fully secure and operational.


    Arnas Stuopelis

    CEO, Hostinger

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022