The "Hacking" Of 000webhost—Or Why Free Should Never Be Synonymous With Unsecure

Last updated by UpGuard on August 23, 2019

scroll down

Advertising-based revenue models may be a standard facet of today's internet businesses, but firms peddling free/freemium services are still on the hook for providing strong information security to their user bases. In fact, they arguably have an even greater responsibility protect user data than paid-for services. So how do events like yesterday's massive data breach involving free web hosting providing 000webhost transpire? In a word, negligence. Gross negligence, to be precise.

In Episode 009 of The Gig, we spoke to IT security expert Troy Hunt about his data breach search engine Have I Been Pwned? and the myriad of dangers that surround online data. Interestingly enough, Troy was contacted a few days ago and made privy to a massive database hacked from free web hosting provider 000webhost—13 million user records consisting of names, emails, and plaintext passwords. Forbes, ZDnet, and The Register have since picked up on the news.

Download Security Monitoring eBook  

What makes this particular compromise unique from the seemingly daily hacking occurrences is the sheer lack of prudence on 000webhost's part. Indeed, describing 000webhost's security failings as such is a gross understatement :

1. The login forms and admin areas of the website are sans SSL-encryption.

000webhost login page

2. Password reminders are sent via email in plaintext. password email

3. Form validation exceptions pass plaintext values in the query string, which of course end up in web server logs, browser histories, and other publicly-viewable areas.

Form validation exception passed in plaintext

These are just a few examples of 000webhost's security shortcomings, which invariable led to its breach of 13 million customer records. More information regarding the "hack" is available on Troy's blog , though labeling it as such does somewhat of a disservice to seasoned cybercriminals. By all measures, this data breach was child's play for the attacker(s) in question.

Web companies that garner large followings through complimentary service offeringsad-based or otherwise—have an equal or even stronger need for robust security measures due to the anticipated volume of user registrations for free services. Lack of security (and resultant compromised data) is just plain bad business, even if no credit card data is stored/stolen. To learn more, take a listen to our Halloween Episode of The Gig with Troy Hunt.

Listen to the podcast

More Blogs

How CSR Works

All the information needed to perform a CSR assessment is bundled into the UpGuard platform. Learn more about CSR.
Read Blog >

What's In the Website Risk Grader?

The UpGuard Website Risk Grader provides a low friction way to get an initial assessment of a business' risk profile.
Read Blog >

Understanding Risk in the 21st Century

And as we enter 2016, the risk of data breaches in particular threatens to hamper business innovation.
Read Blog >


Related posts

Learn more about the latest issues in cybersecurity