Webhost confirms multi-million password leak

By

Slack security at 000webhost blamed.

Popular free web hosting service 000webhost has owned up to a massive data breach that saw unencrypted login credentials for more than 13.5 million users leaked online.

Webhost confirms multi-million password leak
Troy Hunt.

000webhost, which is based in Lithuania and owned by UK company Hostinger, wrote on its Facebook page that a database breach had occurred on its main server.

"A hacker used an exploit in old PHP version to upload some files, gaining access to our systems. Although the whole database has been compromised, we are mostly concerned about the leaked client information," the company posted.

000webhost apologised to users and said it had reset all passwords on the site as well as "increased encryption to avoid such mishaps in the future".

The 000webhost user credentials database appeared to have been intercepted around five months ago, according to security researcher Troy Hunt.

Hunt was given a tip-off about the database and confirmed it contained full user details including first and last names, email addresses and passwords.

The database is in clear-text, with the passwords of 13.5 million users stored unencrypted, Hunt noted.

 

Hunt was contacted by an unnamed person who claimed the database is being traded for "upwards of US$2000" on the internet.

He added the 13,545,468 000webhost user email addresses to his Have I been pwned service to allow people who used the provider to check if their details have been leaked.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

Qantas facing 'significant' data theft after cyber attack

Qantas facing 'significant' data theft after cyber attack

Home Affairs officer accessed data on "friends and associates"

Home Affairs officer accessed data on "friends and associates"

Ex-student charged over Western Sydney University cyberattacks

Ex-student charged over Western Sydney University cyberattacks

Sportsbet recruits 'security champions' in shift-left strategy

Sportsbet recruits 'security champions' in shift-left strategy

Log In

  |  Forgot your password?