“Have I Been Pwned?” owner uncovers 13 million plaintext passwords leaked from free webhost

By Justin Pot October 28, 2015

have i been pwned owner uncovers 13 million plaintext passwords leaked from free webhost is a safe password even possible we — guteksk7/Shutterstock

000webhost, which implores users to “forget the stereotype that free hosting is unreliable” on its homepage, may need to re-think that bit of copy.

The free web host, which was both storing and transferring user information in plaintext, has been compromised. Users’ email address, passwords, and IP addresses are all being bought and sold by hackers. Passwords have been reset by the host, but anyone who used their passwords for other sites should change those as well.

Recommended Videos

This took a lot of work to get to the bottom of, hard to fathom hard bad this 000webhost breach is on many levels: https://t.co/xzRxvSTfiZ

— Troy Hunt (@troyhunt) October 28, 2015

The leak was made public today in an extensive blog post written by web security expert Troy Hunt, who runs the site HaveIBeenPwned. The site lets anyone search a database of known leaks to find out if their personal information has ever been compromised, and occasionally people email him about unknown leaks.

“Hey,” a message Hunt received said, “approximately 5 months ago, a certain hacker hacked into 000webhost and dumped a 13 million database consisting of name, last name, email and plaintext password,”

Hunt looked into the claims, found out they were legitimate, then attempted to contact 000webhot to fill them in (Hunt doesn’t want HaveIBeenPwned to be a service that announces leaks).

Getting in touch with 000webhost, however, proved impossible –he basically got back only generic helpdesk advice. Eventually Hunt asked Forbes journalist Thomas Fox-Brewster for help getting in touch with the company, but they didn’t get back to him either. They did, however, change users’ passwords en masse – without informing anyone why.

Only after Fox-Brewster published an article about the breach, and Hunt published his blog post, did anyone at 000webhost publicly acknowledge the breach. A Facebook post informed users, along with a small note on the company’s website.

“Due to security breach, we have set www.000webhost.com website on maintenance until issues are fixed,” the homepage currently says. FTP access is reportedly cut off until November 10.

So, is free hosting reliable? Hunt, for his part, thinks you should be skeptical.

“When you see free or really cheap hosting and wonder why AWS / Azure / et al seem expensive, think of what corners they may be cutting,” he tweeted.

Probably good advice.

Topics

Former Digital Trends Contributor

Justin's always had a passion for trying out new software, asking questions, and explaining things – tech journalism is the…

Computing

NASA tests new AI chatbot to make sense of complex data

An Earth image captured by NASA.

Using its Earth-observing satellites, NASA has collected huge amounts of highly complex data about our planet over the years to track climate change, monitor wildfires, and plenty more besides.

But making sense of it all, and bringing it to the masses, is a challenging endeavor. Until now, that is.

Computing

Corsair just spilled the beans on next-gen GPU requirements

Nvidia GeForce RTX 4090 is shown along with a hand holding the power cable adapter.

Sometimes, news about next-gen GPUs comes from unlikely sources -- today is one of those days. Corsair just spoke about its power supply units (PSUs) and cooling solutions in relation to the future of some of the upcoming best graphics cards. It turns out that Nvidia's RTX 50-series may not be that much more power-hungry than the current-gen cards, but there's more than just Nvidia to consider here.

Although unexpected, Corsair's statement sounds like good news. The company doesn't talk about any new solutions. In fact, Corsair seems to confirm that the power supply units (PSUs) we use today will still work fine for next-gen cards -- provided the wattage is sufficient.

Computing

Apple hid one of the best features of the M4 MacBook Pro

Someone using a MacBook Pro M4.

Apple's new M4 MacBook Pro is great. It earned a rare Editors' Choice badge in our M4 MacBook Pro review, and it's cemented itself as one of the best laptops you can buy. Even with so much going for it, Apple hid one of the most exciting developments it made with its new range of laptops -- the use of quantum dot technology.

Like the last few generations of MacBook Pro displays, the M4 range is using a mini-LED backlight. There's no tandem OLED like we saw on the iPad Pro earlier this year. However, according to Ross Young, CEO of Display Supply Chain Consultants (DSCC), Apple added a layer of quantum dots to the M4 MacBook Pro. This, according to the display expert, offers better color gamut and motion performance compared to the solution Apple previously used.