Article Updated: Novemeber 24, 2015
“Please call your nearest hacker if you need further assistance. We’ll be in touch.”
Today I received a charming letter from my early hosting 000webhost.com, which I am not using for years now – one of those letters that makes you immediately stop whatever you were doing and start worrying.
Apparently, in approx. March 2015 000webhost.com suffered a major data breach that exposed over 13 million customer records. The data was sold and traded before 000webhost was alerted in October (today). The breach included names, email addresses and plain text passwords.
EMAIL MESSAGE FROM 000WEBHOST.COM
Subject: Important information regarding recent security breach
A hacker used an exploit in an old PHP version, that we were using on our website, in order to gain access to our systems. Data that has been stolen includes usernames, passwords, email addresses, IP addresses and names.
Although the whole database has been compromised, we are mostly concerned about the leaked client information.
What did we do about it?
We have been aware of this issue since 27th of October and our team started to troubleshoot and resolve this issue the same day, immediately after becoming aware of this issue.
In an effort to protect our users we have temporarily blocked access to systems affected by this security flaw. We will re-enable access to the affected systems after an investigation and once all security issues have been resolved. Affected systems include our website and our members area. Additionally we have temporarily blocked FTP access, as FTP passwords have been stolen as well.
We reseted all users passwords in our systems and increased the level of encryption to prevent such issues in the future.
We are still working around the clock to identify and eliminate all security flaws. We will get back to providing the free service soon. We are also updating and patching our systems.
What do you need to do?
As all the passwords have been changed to random values, you now need to reset them when the service goes live again.
DO NOT USE YOUR PREVIOUS PASSWORD. PLEASE ALSO CHANGE YOUR PASSWORDS IF YOU USED THE SAME PASSWORD FOR OTHER SERVICES.
We also recommend that you use Two Factor Authentication (TFA) and a different password for every service whenever possible. We can recommend the Authy authenticator app and the LastPass password manager.
We are sorry
( editor comment: removed… )
First, thankfully, I do not use their crappy hosting service for years now. I’ve realized how bad and limiting it was in time, packed my bags and moved on. And never regretted that decision. The only regret I might have now is the fact that I did not request account closure and removal from their database.
But no matter. I use different passwords everywhere, and certainly I do not use the above one for years, so here’s my message to the hackers: GOOD LUCK :)
Second, plain text passwords (or almost equally weak hash algorithms like md5 or SHA1) used in their database practically without any effort needed to decode and make them publicly available. Seriously!? For real? Blowfish? Bcrypt? Anyone? Hello?
Third point, they were using PHP 5.2/5.3 in the year 2014/5 or so. This kind of a disaster was simply screaming at hackers to come and make a visit.
Update: November 24, 2015
I’ve received a follow-up letter several weeks later, after the initial announcement about the data breach. Here is the first half content of that letter (the second half is more-or-less a promotion with discount for all existing customers):
Recently we have witnessed a data breach. In an effort to protect our users, we had temporarily blocked access to few systems, but now we are back and we are stronger and safer than ever!
We have been audited by external security experts and we have implemented extra security measures. You can safely use 000webhost for free.
Connection to Your members area is now encrypted with SSL certificate (SHA-256 with RSA 2048 bits key). Your passwords are stored securely hashed with bcrypt algorithm with a cost factor of 12. Passwords are now immune to Brute Force attacks. Cracking a password, which has more than 4 randomly generated symbols, would take years.
( … )
Thank you for being our client and using our services
Well, there you go, at least something good was born out of this. However, I just hope that the above is truth, and that they did not mess up bcrypt implementation in any way. But, all this would be avoided, if they performed their system updates on a regular basis, or at least last year.
AM I PWNED? IS MY ACCOUNT COMPROMISED?
Here are two useful websites which will perform automatic cross-database search of any given email address and report back if your account was found in any of them:
There are also links to published/known security breaches with exact amount of records compromised. If your email is among one of those databases, you should immediately revisit your membership data and change your account(s) passwords.
Emergency Help Desk
Q: I am affected – my data is on the list! What should I do now!?
A: If this is your very old email account and password which you don’t use anywhere else anymore, just forget about it. Don’t even bother with password reset program that is currently going on @ 000webhost.com. I don’t really trust their security, if they changed / improved anything at all.
If, on the other hand, this is your current email address and password that you commonly use – drop this email and change all passwords shared on other websites ASAP!
Q: What is now going to happen to those whose data is stolen?
A: They can pretty much expect a massive SPAM campaign, since most of those emails are probably still valid. Also, phishing attempts with malware in emails and poisoned links would not be a surprise, either. This is why you should consider changing email address, or be extra careful what attachments you can open and links to click on / follow inside your messages!
Q: I am using PayPal or other payment service with this compromised email address. What should I do?
A: If you are careful, you may relax. However, it is likely that phishing attempts will be conducted on individual basis with heavy social engineering trickery. For example, if this email address is listed somewhere publicly, or they can get to your real name somehow, they [hackers] can create a perfect impersonation of regular PayPal or some important account email and trick you to click on a specially crafted link, load hidden virus within image or open malicious attachment file.
If you wish to be extra safe, simply login to you PayPal account > Profile > Add/Edit Email + make it primary and you are done. Make sure to notify everyone important about this change.
SEVERAL THOUGHTS ABOUT PASSWORDS AND DATA SECURITY
- Many websites store passwords inside their database in unencrypted (plain text) form. You cannot possibly know this information. It does not exactly say on website registration page: “Hey, there! Before you register, here is an important info: We are storing your password in plain text because we are stupid! Just so you know…” until it gets too late (infamous recent example was for e.g. Sony Corp).
- Credit card numbers are
usuallyhopefully encrypted and often stored off-site on a secure remote servers to minimize breach. However, even in such cases with high security, there are some security omissions which combined with clever social engineering can result in horror stories (Wired article).
- All personal details are stored in plain text (emails, names, usernames, street address…) because there is no way to keep this information in hashed form and make it human readable at the same time. Once hashed, a value of numbers and text data cannot be easily reversed to a plain text format for reading/usage (that’s the whole point of password hashing).
- Even if passwords are hashed/encrypted, there are various algorithms and strength settings nowadays, md5/sha1/sha2/sha3 being the worst (not really created for password protection anyway), and high strength for blowfish/bcrypt being the current industry standard.
- Finally, at least some of the websites are artificially limiting their users with maximum password length to 8, 10, 12 or 15 characters, effectively reducing your right to have a long, healthy length password which combined with strong encryption can result in virtually non-penetrable (reverse engineered) phrase. Even worse, some are even forbidding usage of special characters, hyphen and quotes, all without any real technical reason behind it in modern computing.
So, even if you have your password safely stored on the website (and don’t forget a credit card number, hopefully), every other personal data is vulnerable to attacks and database stealing, that should be taken with professional attention. Unfortunately, small websites and companies which operate on an individual, donations or low income basis cannot afford high security services and thus we are witnessing this kind of news. But, when this kind of issue happens to a big name company, it really makes you think. Completely irresponsible.
Update: Troy Hunt (Have I Been Pwned) has published a very interesting story behind this – check here. Apparently, he was trying to reach someone (anyone?) at 000WebHost to warn them about potential breach in their system, but it was more like an actual Alien trying to speak to Earth kind of experience.