Advertising-based revenue models may be a standard facet of today's internet businesses, but firms peddling free/freemium services are still on the hook for providing strong information security to their user bases. In fact, they arguably have an even greater responsibility protect user data than paid-for services. So how do events like yesterday's massive data breach involving free web hosting providing 000webhost transpire? In a word, negligence. Gross negligence, to be precise.
We spoke to IT security expert Troy Hunt about his data breach search engine Have I Been Pwned? and the myriad of dangers that surround online data. Interestingly enough, Troy was contacted a few days ago and made privy to a massive database hacked from free web hosting provider 000webhost—13 million user records consisting of names, emails, and plaintext passwords. Forbes, ZDnet, and The Register have since picked up on the news.
What makes this particular compromise unique from the seemingly daily hacking occurrences is the sheer lack of prudence on 000webhost's part. Indeed, describing 000webhost's security failings as such is a gross understatement :
2. Password reminders are sent via email in plaintext.
3. Form validation exceptions pass plaintext values in the query string, which of course end up in web server logs, browser histories, and other publicly-viewable areas.
These are just a few examples of 000webhost's security shortcomings, which invariable led to its breach of 13 million customer records. More information regarding the "hack" is available on Troy's blog , though labeling it as such does somewhat of a disservice to seasoned cybercriminals. By all measures, this data breach was child's play for the attacker(s) in question.
Web companies that garner large followings through complimentary service offerings—ad-based or otherwise—have an equal or even stronger need for robust security measures due to the anticipated volume of user registrations for free services. Lack of security (and resultant compromised data) is just plain bad business, even if no credit card data is stored/stolen.