The Hacking Of 000webhost—Why Free Should Not Be Synonymous With Unsecure

The Hacking Of 000webhost—Why Free Should Not Be Synonymous With Unsecure

UpGuard Team
UpGuard Team
updated Aug 04, 2020

Advertising-based revenue models may be a standard facet of today's internet businesses, but firms peddling free/freemium services are still on the hook for providing strong information security to their user bases. In fact, they arguably have an even greater responsibility protect user data than paid-for services. So how do events like yesterday's massive data breach involving free web hosting providing 000webhost transpire? In a word, negligence. Gross negligence, to be precise.

We spoke to IT security expert Troy Hunt about his data breach search engine Have I Been Pwned? and the myriad of dangers that surround online data. Interestingly enough, Troy was contacted a few days ago and made privy to a massive database hacked from free web hosting provider 000webhost—13 million user records consisting of names, emails, and plaintext passwords. Forbes, ZDnet, and The Register have since picked up on the news.  

What makes this particular compromise unique from the seemingly daily hacking occurrences is the sheer lack of prudence on 000webhost's part. Indeed, describing 000webhost's security failings as such is a gross understatement :

1. The login forms and admin areas of the website are sans SSL-encryption.

000webhost login page

2. Password reminders are sent via email in plaintext. password email

3. Form validation exceptions pass plaintext values in the query string, which of course end up in web server logs, browser histories, and other publicly-viewable areas.

Form validation exception passed in plaintext

The more important and difficult question is not why, but how—that is, how can companies not just survive, but thrive in a landscape of digital threats?

These are just a few examples of 000webhost's security shortcomings, which invariable led to its breach of 13 million customer records. More information regarding the "hack" is available on Troy's blog , though labeling it as such does somewhat of a disservice to seasoned cybercriminals. By all measures, this data breach was child's play for the attacker(s) in question.

Web companies that garner large followings through complimentary service offerings—ad-based or otherwise—have an equal or even stronger need for robust security measures due to the anticipated volume of user registrations for free services. Lack of security (and resultant compromised data) is just plain bad business, even if no credit card data is stored/stolen.

Reviewed by
No items found.

UpGuard logo in white
UpGuard free resources available for download
Learn more

Download our free ebooks and whitepapers

Insights on cybersecurity and vendor risk management.
UpGuard logo in white
eBooks, Reports & Whitepapers
UpGuard free resources available for download
UpGuard customer support teamUpGuard customer support teamUpGuard customer support team

See UpGuard In Action

Book a free, personalized onboarding call with one of our cybersecurity experts.
Abstract shapeAbstract shape

Related posts

Learn more about the latest issues in cybersecurity.
Deliver icon

Sign up to our newsletter

Get the latest curated cybersecurity news, breaches, events and updates in your inbox every week.
Abstract shapeAbstract shape
Free instant security score

How secure is your organization?

Request a free cybersecurity report to discover key risks on your website, email, network, and brand.
  • Check icon
    Instant insights you can act on immediately
  • Check icon
    Hundreds of risk factors including email security, SSL, DNS health, open ports and common vulnerabilities
Website Security scan resultsWebsite Security scan ratingAbstract shape