PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing.

PCMag UK

Web Host Hacked, Millions of Credentials Leaked

David Murphy
 & David Murphy Freelancer

Our team tests, rates, and reviews more than 1,500 products each year to help you make better buying decisions and get more from technology.

Our Expert
LOOK INSIDE PC LABS HOW WE TEST
65 EXPERTS
43 YEARS
41,500+ REVIEWS

There are plenty of problems with free webhosts, but they can be a valuable tool for those who want to get their feet wet in website design without paying for it.

Well, unless you used the free Web hosting provider 000Webhost. According to Ars Technica, 000Webhost was hacked and as many as 13.5 million plain text passwords, as well as names and IP addresses, were leaked.

Security researcher Troy Hunt, who also runs the "Have I been pwned?" service, was the first to receive the tip that a hacker had dumped 000Webhost data online.

"Hunt spoke with five 000Webhost users, who confirmed their passwords matched with those he'd been handed. He also found his own email address in the database," according to Forbes. "It appeared someone had registered an account in Hunt's name and could do so because 000Webhost didn't do any validation using the email. He subsequently took control of the account by issuing a password reset."

Hunt found it extremely difficult to reach anyone at 000Webhost, though he noticed that the company reset its users' passwords in response to the hack.

"There's only one good reason why an organization does that, and that's because they believe all the passwords have been compromised," Hunt wrote. "This was the first clear acknowledgement from 000webhost that they had been breached. Of course this does nothing to protect impacted users' other accounts where they've reused passwords, only communication from 000webhost alerting them to the incident will help with that."

000Webhost provided details about the attack on Facebook four days after Hunt gave the company detailed information about what happened via its ticketing system (and requested the matter be forwarded on up to 000Webhost's CEO).

"A hacker used an exploit in old PHP version to upload some files, gaining access to our systems. Although the whole database has been compromised, we are mostly concerned about the leaked client information," reads 000Webhost's post.

As for what you should do if you are (or used to be) an 000Webhost user:

"As all the passwords have been changed to random values, you now need to reset them. DO NOT USE YOUR PREVIOUS PASSWORD. PLEASE ALSO CHANGE YOUR PASSWORDS IF YOU USED THE SAME PASSWORD ANYWHERE ELSE," 000Webhost describes (emphasis theirs).

About Our Expert

David Murphy

David Murphy

Freelancer

David Murphy got his first real taste of technology journalism when he arrived at PC Magazine as an intern in 2005. A three-month gig turned to six months, six months turned to occasional freelance assignments, and he later rejoined his tech-loving, mostly New York-based friends as one of PCMag.com's news contributors. For more tech tidbits from David Murphy, follow him on Facebook or Twitter (@thedavidmurphy).

Read the latest from David Murphy

Read full bio