igor - Fotolia

000Webhost blames PHP exploit for breach of 13.5 million records

Unencrypted passwords for a free web hosting firm were on sale for five months before customers were notified their records had been leaked, according to a security researcher

Free web hosting firm 000Webhost has blamed an exploit in an old PHP version of its website for exposing 13.5 million customers’ details to hackers.

In addition to failing to ensure that only the latest, most secure versions of software were used for its website, the company also failed to protect customer data and encrypt passwords.

Worse still, the data breach happened around five months ago, according to security researcher Troy Hunter, who first reported the breach in a blog post.

The data, which includes customer names, emails and plaintext passwords, has reportedly been put up for sale on underground markets, giving cyber criminals a big lead.

It is this kind of breach that enables cyber criminals to test usernames and passwords against other sites, which is possibly how hackers gained access to thousands of British Gas and Vodafone accounts.

Hunter, who runs an identity theft service called Have I Been Pwned, said he was tipped off about the breach by an anonymous source.

According to Hunter, 000Webhost has never responded to or acknowledged his warnings or contacted affected customers directly.

However, in a notice published on the company’s Facebook page on 29 October, 000Webhost said it became aware of the issue on the 27th of October, when it started working to resolve the issue.

The company said the stolen data included usernames, passwords, email addresses, IP addresses and names, but did spell out that the passwords were not encrypted.

“We are still working 24/7 to identify and eliminate all security flaws,” said 000Webhost, adding that it had reset all users’ passwords and removed “illegally uploaded” pages.

000Webhost also advised all customers to change their passwords and use different passwords for other services.

Independent security consultant Graham Cluley described the lack of encryption “reckless”.

“One has to assume that words such as hashing, salting and encryption are not in their dictionary,” he wrote in a blog post.

Salting refers to the process of adding random nonsense to the password text so that even if two users pick the same password, their password representations end up different. Hashing refers to scrambling the salted password cryptographically.

Read more about encryption

  • Seven more security suppliers join Blue Coat encrypted traffic management programme amid fresh warnings of attackers using encryption to hide malicious activity
  • A US government HTTPS-Only Standard directive requires that all federal websites accessible to the public must encrypt all data exchanges.
  • Law enforcement officers have called for greater co-operation with the tech industry and the public to enable access to electronic communications for targeted surveillance.
  • The Linux Foundation is to host an open encryption projectaimed at providing a free and easy way to protect online data.

Read more on Privacy and data protection