000webhost is a free web hosting service which supports both PHP and MySQL, catering for millions of users worldwide. On Wednesday, the firm told users in a Facebook message that the company had suffered a databreach on its main server.
A hacker used an exploit in an old, unpatched version of PHP to upload malicious files and gain access to the service’s systems. Not only was the full database containing the usernames, passwords and email addresses compromised, but this information has been dumped online.
000webhost said it removed all the malicious uploads once they became aware of the breach, and “changed all the passwords and increased their encryption to avoid such mishaps in the future.”
An interesting statement to make, as Troy Hunt, Microsoft MVP for Developer Security and the owner of Have I been pwned notes the record dump contained plain text passwords. If services do not at least hash stored passwords, attackers do not need to do anything beyond steal them to use them.
As a result, if these passwords are used on any other services, users should change them as soon as possible. 000webhost has also asked users to change their account passwords following a site-wide reset, but at the time of writing the website is down for repairs and there is nothing customers can do at present.
Hunt also notes the member area is anything but secure, and little seems to have been done to improve security — especially as the breach reportedly took place in March this year.
Security disclosure service XSSposed has an open ticket for the data breach detailing the vulnerability which may have been the root cause of the cyberattack. On 26 October, a researcher reported a cross-site scripting vulnerability on 000webhost.com — joining another six vulnerabilities reported by security teams — which is still unpatched, placing users at risk.