000webhost was compromised. If you ever used it, change your passwords.

[pch]

What happened?

A hacker used an exploit in an old PHP version, that we were using on our website, in order to gain access to our systems. Data that has been stolen includes usernames, passwords, email addresses, IP addresses and names.

Although the whole database has been compromised, we are mostly concerned about the leaked client information.

What did we do about it?

We have been aware of this issue since 27th of October and our team started to troubleshoot and resolve this issue the same day, immediately after becoming aware of this issue.

In an effort to protect our users we have temporarily blocked access to systems affected by this security flaw. We will re-enable access to the affected systems after an investigation and once all security issues have been resolved. Affected systems include our website and our members area. Additionally we have temporarily blocked FTP access, as FTP passwords have been stolen as well.

We reseted all users passwords in our systems and increased the level of encryption to prevent such issues in the future.

We are still working around the clock to identify and eliminate all security flaws. We will get back to providing the free service soon. We are also updating and patching our systems.

What do you need to do?

As all the passwords have been changed to random values, you now need to reset them when the service goes live again.
DO NOT USE YOUR PREVIOUS PASSWORD.
PLEASE ALSO CHANGE YOUR PASSWORDS IF YOU USED THE SAME PASSWORD FOR OTHER SERVICES.

We also recommend that you use Two Factor Authentication (TFA) and a different password for every service whenever possible. We can recommend the Authy authenticator app and the LastPass password manager.

We are sorry

At 000webhost we are committed to protect user information and our systems. We are sorry and sincerely apologize we didn't manage to live up to that.
At 000webhost our top priority remains the same - to provide free quality web hosting for everyone. The 000webhost community is a big family, exploring and using the possibilities of the internet together.
Our leadership team will closely monitor this issue and will do everything possible to earn your trust every day.

Sincerely,
000webhost CEO,
Arnas Stuopelis

This e-mail was sent to two e-mails I registered with them upwards of a year and a half ago. So if you EVER used them you're probably going to want to change credentials if you use the same password for multiple things

[Ad Bot]

[EcstaticEggplant]

oh stuff, i swear ive used them before but never got this email

[PurpleMetro]

stuff, i used them before too

[kahnu]

what the forget
I'm hosting two websites on two different emails on two different IP's and i didnt get this email for either of them


were they able to find out the mysql passwords on people's respective websites?

[pch]

what the forget
I'm hosting two websites on two different emails on two different IP's and i didnt get this email for either of them


were they able to find out the mysql passwords on people's respective websites?

it says in the e-mail the WHOLE database was compromised. so i would guess so

[Frankie²]

wonderful

[Decepticon]

wait im sort of dumb and confused here

does this only concern only people who host servers? or is this something similar to the imgur-reddit exploit where if you've encountered it in some way but not directly you're still effected?

[pch]

wait im sort of dumb and confused here

does this only concern only people who host servers? or is this something similar to the imgur-reddit exploit where if you've encountered it in some way but not directly you're still effected?

this only applies to people who registered an account on 000webhost

[keesfani]

Why the forget did they store the passwords unencrypted?

[Pecon]

Why the forget did they store the passwords unencrypted?

They never explicitly said that passwords were stored unencrypted, all that they said was they "Increased the level of encryption", which implies there was encryption to begin with, but it may have been antiquated and no longer very secure by modern standards. Who knows, though.

Anyways, I never signed up for them before. Been on paid hosting since forever since all free services have huge drawbacks... Such as incompetency in securing client information.

[ZXukas]

that sucks

[Ipquarx]

sigh
well i was using a stuffty password with it anyways that i only use on accounts i dont care about so oh well

[Headcrab Zombie]

Why the forget did they store the passwords unencrypted?

They probably didn't, but even a hashed password list isn't something you want people to have

[pch]

They never explicitly said that passwords were stored unencrypted, all that they said was they "Increased the level of encryption", which implies there was encryption to begin with, but it may have been antiquated and no longer very secure by modern standards. Who knows, though.

Anyways, I never signed up for them before. Been on paid hosting since forever since all free services have huge drawbacks... Such as incompetency in securing client information.

No, they definitely stored their passwords unencrypted. If you forgot your password they would email you it in plaintext.

[Ipquarx]

No, they definitely stored their passwords unencrypted. If you forgot your password they would email you it in plaintext.

That could also imply that they were encrypted but that they knew the encryption key, something the attackers may not have known.