The data breach of 000Webhost has exposed more than 13.5 million accounts belonging to customers of the Lithuanian company. Personal data exposed in the attack include usernames, passwords in plain text, email addresses, IP addresses and names.
In a Facebook post published Wednesday morning, 000Webhost officials confirmed the breach and said it was the result of hackers
We have witnessed a database breach on our main server.
A hacker used an exploit in old PHP version to upload some files, gaining access to our systems. Although the whole database has been compromised, we are mostly concerned about the leaked client information.
What did we do about it?
First of all, we removed all illegally uploaded pages as soon as we became aware of the breach. Next, we changed all the passwords and increased their encryption to avoid such mishaps in the future. A thorough investigation to make sure the breach does not exist anymore is in progress.
What do you need to do?
As all the passwords have been changed to random values, you now need to reset them. DO NOT USE YOUR PREVIOUS PASSWORD. PLEASE ALSO CHANGE YOUR PASSWORDS IF YOU USED THE SAME PASSWORD ANYWHERE ELSE.
Client Area Password
Please visit Password Reminder tool at http://members.000webhost.com/forgot_password.php and enter your email address, the new password will be sent to your email. Afterwards, login to your account with the new password and manually set a new, secure password at http://members.000webhost.com/edit_your_details.php
Hosting Account Password
To reset the password for your hosting account (and FTP), visit “Change Account Password” section on control panel and enter a new password there.
Email Account Password
Email account passwords should be changed by visiting “Manage Email Accounts” section and clicking “Change password” for each email account.
MySQL User (Database) Password
MySQL user passwords are managed in “MySQL” section on control panel. In the “Action” field click the “Change Password” and set a new password there.
We apologize for this hassle but it has to be done to ensure your data is safe. We are going to upgrade our systems step by step and will be aiming to be super-careful in future.
According to Forbes, the company Free Web Hosting, 000Webhost, had violated the March 2015 and someone has already beat underground for sale database.
The Free Web Hosting company, 000Webhost, now has many responsibilities. For the first time failed to properly protect the data to be stored in plain text format and then repeatedly ignores Troy Hunt, who tried to inform them of what was happening.
In response to the incident, your IT staff 000webhost Free Hosting service has changed the passwords of all customers at random prices made cryptography (never too late!), But has not communicated the incident to customers who supposedly suffered violation data.
The company has also removed the content that had risen from the hackers just discovered the data breach.
However, 000Webhost said: “We removed all pages went illegally immediately realized that there was a violation [of data]. Then we changed all passwords and increased encrypting to avoid such mishaps in the future. ”
Anyone who has used 000Webhost should be on the alert for fraud. In the event that users have used the same or a similar password on other websites, they should change it immediately. The fresh infusion of 13 million passwords into the already massive corpus of existing passwords should bring new urgency to the oft-repeated admonition to use a long, randomly generated password that’s unique to every site. Advice on how to do that is here.