About 13.5 million user accounts from one of the larger free web hosting companies in the world, 000Webhost, appear to have been compromised—with far-reaching consequences to potentially many millions of individuals.
User accounts have had their passwords reset, but the Lithuania-based company has not acknowledged the breach, nor has it given any direct notice to customers.
The issue was first brought to light by independent security researcher Troy Hunt, a Microsoft veteran who runs the service Have I been pwned? (HIBP). HIBP allows people to discover whether their personal data has been compromised on the web. When a breach hits the public airwaves, he loads in the affected email addresses, and those who subscribe to the free service are then notified if they’ve been compromised.
Hunt was contacted by an anonymous source who claimed to have a database containing the credentials of 13.5 million 000Webhost users. They hadn’t yet been leaked online, and Hunt said that the database appeared legitimate. He contacted a writer at Forbes, and the two then checked out the data, determining that it was, in fact, legitimate. But, all of their subsequent efforts to notify 000Webhost of the breach resulted in stonewalling by the company, they said.
“Convinced this looked like a real breach, I tried to contact and warn 000Webhost,” said Thomas Brewster, the Forbes writer, in an article on the situation. “The company, however, has been almost impossible to engage in any dialogue about a possible breach.” He tried email, web forms, various phone numbers, even LinkedIn messages, to no avail.
To add insult to injury, users have been cut off from the FTP servers used to host their website files.
The company told users: “Due to security check on 000webhost platform and your own safety, FTP access to your account is disabled until 2015 November 10. Please use file manager to upload/edit your files or upgrade the account to premium using the upgrade section below and enjoy the feature rich premium services.”
A parent company representative confirmed to Brewster that FTP access had been shut down, but would not elaborate further.
After users began complaining, the firm apparently went a step further down the road of bad practice, and started removing Facebook posts from customers that referenced the security issues.
As of publication the hosting company has still not acknowledged that there might be an issue, but Hunt and Brewster insist that there is.
“[This] is a by-the-numbers ‘what not to do’ cautionary tale about breach notification handling,” said Tod Beardsley, principal security research manager at Rapid7, in an email. “We know that breaches happen, with some regularity, so I don't blame 000Webhost for getting compromised, but it’s critical that organizations who suffer a compromise communicate effectively, quickly and directly to their customer base with steps to protect themselves. Given 000Webhost’s position as a top free web hosting provider, there are undoubtedly thousands and thousands of small companies who rely on 000Webhost for their economic viability, and every one of them is now exposed to casual vandalism.”
He added that people and small companies who are looking for hosting need to start demanding reasonable standards when it comes to breach and vulnerability handling.
“Depressingly, every list of ‘best free web hosting services’ I could find, including the Wikipedia comparison page, lacks any sort of security criteria that people can use to make informed choices,” Beardsley said. “Feature sets and usability are important, to be sure, but regular security patching, public audit records and a statement of intent of how breaches are handled are crucially important to protect users' data, not to mention the downstream customers’ data.”