13 Million Passwords Taken in Web Host Data Breach
The usernames, email addresses and passwords of 13.5 million accounts were stolen from 000webhost, a Lithuanian-based web hosting company.
The company admitted to the breach on its Facebook page.
In the statement, the company said, “We have witnessed a database breach on our main server. A hacker used an exploit in old PHP version of the website gaining access to our systems, exposing more than 13.5 Million of our customers’ personal records. The stolen data includes usernames, passwords, email addresses, IP addresses and names.”
To resolve the issue, 000webhost said, “We are still working 24/7 in order to identify and eliminate all security flaws. Additionally, we are working on upgrading all of our systems… in an effort to protect our users we have temporarily blocked all access to systems affected by this security flaw. We will re-enable access to affected systems after an investigation and once all security issues have been resolved.”
Forbes discovered the breach when an anonymous source contacted Troy Hunt, a cybersecurity professional and owner of the website haveibeenpwned.com, which gives users the ability to see if their email addresses have been compromised in a breach.
While it is unclear how the breach was accomplished, some think 000webhost did not have strong enough security measures.
“I never cease to be amazed at just how badly wrong an organization can get security. It was only this week we learned of the TalkTalk attack having been carried out by a 15-year-old using free tools,” Hunt said in an interview. “Now we’re seeing how 000webhost stored over 13 million passwords in plain text, which is simply unforgivable.”
On its Facebook page, the company promised it is working with law enforcement officials to uncover the source of the breach.