Webhost confirms multi-million password leak

Popular free web hosting service 000webhost has owned up to a massive data breach that saw unencrypted login credentials for more than 13.5 million users leaked online.

Troy Hunt.

000webhost, which is based in Lithuania and owned by UK company Hostinger, wrote on its Facebook page that a database breach had occurred on its main server.

"A hacker used an exploit in old PHP version to upload some files, gaining access to our systems. Although the whole database has been compromised, we are mostly concerned about the leaked client information," the company posted.

000webhost apologised to users and said it had reset all passwords on the site as well as "increased encryption to avoid such mishaps in the future".

The 000webhost user credentials database appeared to have been intercepted around five months ago, according to security researcher Troy Hunt.

Hunt was given a tip-off about the database and confirmed it contained full user details including first and last names, email addresses and passwords.

The database is in clear-text, with the passwords of 13.5 million users stored unencrypted, Hunt noted.

Hunt was contacted by an unnamed person who claimed the database is being traded for "upwards of US$2000" on the internet.

He added the 13,545,468 000webhost user email addresses to his Have I been pwned service to allow people who used the provider to check if their details have been leaked.