Post Reply 
 
Thread Rating:
  • 0 Votes - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
13+ million credentials dumped in 000webhost Breach
10-28-2015, 03:31 PM (This post was last modified: 10-28-2015 03:33 PM by no2pencil.)
Post: #1
13+ million credentials dumped in 000webhost Breach
Copied from their facebook post on the breach :

Quote:We have witnessed a database breach on our main server.

What happened?
A hacker used an exploit in old PHP version to upload some files, gaining access to our systems. Although the whole database has been compromised, we are mostly concerned about the leaked client information.

What did we do about it?
First of all, we removed all illegally uploaded pages as soon as we became aware of the breach. Next, we changed all the passwords and increased their encryption to avoid such mishaps in the future. A thorough investigation to make sure the breach does not exist anymore is in progress.

What do you need to do?
As all the passwords have been changed to random values, you now need to reset them. DO NOT USE YOUR PREVIOUS PASSWORD. PLEASE ALSO CHANGE YOUR PASSWORDS IF YOU USED THE SAME PASSWORD ANYWHERE ELSE.

Client Area Password
Please visit Password Reminder tool at http://members.000webhost.com/forgot_password.php and enter your email address, the new password will be sent to your email. Afterwards, login to your account with the new password and manually set a new, secure password at http://members.000webhost.com/edit_your_details.php

Hosting Account Password
To reset the password for your hosting account (and FTP), visit "Change Account Password" section on control panel and enter a new password there.

Email Account Password
Email account passwords should be changed by visiting "Manage Email Accounts" section and clicking "Change password" for each email account.

MySQL User (Database) Password
MySQL user passwords are managed in "MySQL" section on control panel. In the "Action" field click the "Change Password" and set a new password there.

We apologize for this hassle but it has to be done to ensure your data is safe. We are going to upgrade our systems step by step and will be aiming to be super-careful in future.
Regards
000webhost Team

Prior reports on the breach :
[ troy hunt ]
[ forbes ]

Can't stress how important proper PHP databasing is. MD5 has been considered non-secure for long enough that plain text should be punishable by death. But at least 000webhost is consistent, for as much as they didn't care to learn that it's happoned, they don't seem to promote any customer-care that it did happen.

& for those unfortunate enough to have been a 000webhost user, you can search for your login on haveibeenpwned, & update your password anywhere else that may use the same creds.

-#2pencil-

[Image: lovelinux.gif]
Visit this user's website Find all posts by this user
Quote this message in a reply
10-28-2015, 07:28 PM
Post: #2
RE: 13+ million credentials dumped in 000webhost Breach
I love the sarcastic-looking quotes on their copyright notice.

Quote:2007-2015 © Copyright 'First class Web Hosting'.

If they've been this incompetent since they started in 2007, why has this kind of breach not happened before now?
Visit this user's website Find all posts by this user
Quote this message in a reply
10-28-2015, 07:50 PM
Post: #3
RE: 13+ million credentials dumped in 000webhost Breach
It likely has happened, but it is just now being taken advantage of. Unencrypted passwords (or md5 hash'ed passwords) over unencrypted protocols & out of date software is how the NSA has infiltrated, well, just short of everything. The difference with this situation is, that despite not finding it themselves, they had an infrastructure that ignores outside assistance, & only makes an attempt to clean up once their image has been tarnished.

-#2pencil-

[Image: lovelinux.gif]
Visit this user's website Find all posts by this user
Quote this message in a reply
Post Reply 


Forum Jump:


User(s) browsing this thread: 2 Guest(s)