14 DAY TRIAL // Five months ago, an unknown hacker breached the 000Webhost.com free Web hosting service, stole 13 million passwords, and put them up for sale online for USD 2,000 / EUR 1,800 .
The revelation comes via Troy Hunt, owner of the Have I been pwned? (HIBP) service that alerts users if their data has been exposed online during a data breach.
The data breach went unnoticed for five months
Mr. Hunt came across the incident after somebody contacted him and offered him the 000webhost.com database so that he would add it to the HIBP service.
When verifying the database dump he received, Mr. Hunt validated that it was authentic 000Webhost.com data, and moved to inform the service of its issues.
After six days during which he and a Forbes reporter were not able to get in contact with the company or were ignored, Mr. Hunt eventually disclosed the incident on his blog, along with the entire ordeal he went through to inform 000Webhost of its breach.
Around 22 hours ago, 000Webhost.com, a subsidiary of UK-based firm Hostinger, acknowledged the incident on Facebook, and moved to reset everyone's password, while also cutting off FTP access to the site until November 10.
A server running an older PHP version is to blame
The company also offered details about the incident, saying that "a hacker used an exploit in [an] old PHP version to upload some files [to the servers], gaining access to our systems." This apparently has nothing to do with a recent XSS flaw also discovered on 000Webhost's website.
000Webhost.com also admitted that their entire customer database (at that point) was compromised, containing, according to Mr. Hunt, 13,545,468 user accounts.
The hacker managed to steal customer IDs, client names, IP address information, emails, and passwords in cleartext.
While 000Webhost.com reset all account passwords, users that practice password reuse should start changing the credentials on all other accounts where they used the same email or name contained in their 000Webhost.com accounts.
The entire 000Webhost.com user database has now been added to the HIBP website, where it ranks third behind Adobe's breach (152 million accounts) and the infamous Ashely Madison breach from this summer (30 million accounts).