The free web hosting site 000webhost.com informed customers yesterday that one of its servers was hacked compromising its entire data base of about 13.5 million clients and an executive at a security firm pinned the problem on outdated software.
The web hosting company said it first noticed the issue on October 27 and is advising its customers to immediately reset their client area, hosting account and email account passwords. The company claimed the hacker used an exploit in an old PHP version to upload files in order to gain access to its entire database to include client passwords and personal records, the company said in a Facebook post.
“Our user’s sites will stay online and will be fully functional during this investigation. We will fully cooperate with law enforcement authorities. At the same time our internal investigation has been started. We advise our customers to change their passwords and use different passwords for other services,” 000webhost.com said.
Ilia Kolochenko, CEO of High-Tech Bridge, Thursday to SCMagazine.com in an email that the issue centered around the use of outdated software.
“In our experience, the majority of similar data breaches occur because of insecure or outdated web applications. For this particular case a vulnerability affecting the main website of the hosting company may potentially open a door to the entire customer database,” he said.
Troy Hunt, who runs the service Have I been pwned? said in a blog post that he received a tip on the breach and attempted to contact 000webhost.com to notify them not only of the breach and that the stolen data was already being traded, but could not get a response.
Carl Herberger, Vice-President of Security Solutions at Radware, said in an email to SCMagazine.com on Thursday that many paid services do not encrypt all data, or use the most secure methods, because it is too costly. Free services are in an even weaker position to provide those measures.
“You may think you’re saving money, but with breaches becoming so common today, it’s a safe bet to say you’ll pay more in the end,” Herberger said.
High-Tech Bridge ran a test of 000webhost.com site using its SSL checker and found it was not in compliance with PCD DSS and NIST guidelines and this could be a reason 000webhost.com was at risk, Kolochenko said.
“Each country and industry has some specific requirements and procedures to follow. Therefore, even if a business is not required to be compliant with certain standards or rules, it’s always may be an indicator that information security is at risk if these rules and standards are not being respected,” Kolochenko said.
Attempts to reach 000webhost.com for further comment on the issue were unsuccessful.