You are invited to Log in or Register a free Frihost Account!

Free webhosting provider 000webhost hacked

Free webhosting provider 000webhost hacked, 13.5m accounts now offered on the Darkweb.

Data included in the breach includes usernames, passwords, email addresses, and IP details.

A hacker used an exploit in old PHP version to upload some files, gaining access to
their systems.

OK, we know, the internet is not secure. The same probably could happen to everyone providing service on the internet. That's why it is always a bad idea to re-use a password for more than one site.

13 blog comments below

I have been meaning to go through my passwords, come up with new ones and go through my accounts. I should probably do that sooner rather than later.
TheGremlyn on Mon Nov 02, 2015 3:29 pm
@TG Change those passwords TODAY!!!

I have different passwords on all accounts. Can be confusing and frustrating but I know it helps. I also change 'critical' accounts passwords at least every six months.
standready on Mon Nov 02, 2015 4:54 pm
The mention of 000webhost reminds me of a few years back when Server 1 was badly hacked. The guy who hacked it left a trail enough for me to follow him to a hack forum. I found it very intriguing though, particularly recommendations for how to hack a Website. Irony of ironies though is that in the tutorial by this hacker he recommends 000webhost for creating hack pages. It's untraceable. So looks as though 000webhost is a home of many hackers. Maybe the hacker accounts have been hacked as well. Razz

In this day and age I don't think fixing passwords is enough. It is a deterrent, but one has to make sure one is in good company with a very good Data Center and a good host. Bondings has us at one of the best data centers in Germany security and quality wise. Probably for the reason that he can't be around. The center has so many hack filter scripts, which sometimes can be a problem as those scripts immediately pick up on visitors with IPs that have been blacklisted by places like Spamhaus. But it works. It forces their clients to be alert, and assures a greater level of protection. So I think in the end it is the company one keeps on a shared server that can make the difference for security.
deanhills on Mon Nov 02, 2015 10:16 pm
Changing my passwords is taking forever. I made a list of the accounts I had... and I'm looking at it now. There's almost 50! I mean, for some things I have multiple accounts (email and apple IDs, etc). This is making me sad. Also coming up with 6 or 7 passwords to rotate through. That also sucked. I'm not done yet Sad
TheGremlyn on Tue Nov 03, 2015 4:08 am
Whatever you do, never reuse your email password.
Peterssidan on Tue Nov 03, 2015 10:55 am
I hear you TG. I also made a list once, am trying to keep it up and it's brutal how many I have. I'm thinking of getting one of those password services, but somehow I'm worried my passwords could be poached that way as well.

@Peterssidan. I thought most commercial e-mail hosts like Hotmail won't allow you to use an old password. They force one to change it to something new.
deanhills on Tue Nov 03, 2015 8:43 pm
Hotmail isn't too bad. When I was trying to change my passwords I had to verify with a code that was either sent via email or by phone. Madness.

I'm trying out LastPass right now. We use it at work and one of the managers has their own account. He's got the 2 factor piece going with the YubiKey, which is neat.

Before I tried it I wanted to obviously talk to someone who is using it. My understanding is you set up an account and you have a master password for your account (and your Vault). As you visit sites you can save your login information to LastPass. While this stuff is saved in the Cloud, LastPass would not be able to recover your passwords if anything happened because they do not know the master password you've set. So the idea is that your information is encrypted online and, unless someone wanted to spend a lot of time trying to decrypt that information, your account information should be fairly secure... assuming you have a pretty good master password.

The YubiKey is interesting but it's really only meant to work with computers with USB ports. You use it when you're trying to access your LastPass vault. You log in with your LastPass account, then you're prompted with a second password field. You plug in the YubiKey and press the button and it fills in the automatically, and randomly, generated password. If you have a text editor open and press the key you can see the types of gibberish passwords it comes up. I'm not sure how long those are active for...
TheGremlyn on Tue Nov 03, 2015 11:50 pm
deanhills wrote:
I thought most commercial e-mail hosts like Hotmail won't allow you to use an old password. They force one to change it to something new.

That protects in case of old passwords being leaked but not much help if they know your current password.
Peterssidan on Wed Nov 04, 2015 11:08 am
True. But I'm almost certain that "current" passwords that were leaked would be a fraction of the 13.5 million. They must be the same as Frihost where the bulk of their activity had been from 2007 to 2010. And it's been on a slow down since then. The 13.5 million passwords must be collective for the period 2007 when it was first created. gives the impression of sloppy, old and dated so probably hasn't cleaned up their accounts from the beginning of time.

I'd say of what is left over a significant portion of the hosting account passwords belong to hackers who created new accounts with "disposable" details for each of their hacking face pages. Like disposable passwords that must have been logged over a very VERY long time period. The REAL remaining "current" passwords that are at risk I'm sure must be numbered in hundreds as opposed to millions. Will take some script to search through those 13.5 million passwords. Razz
deanhills on Wed Nov 04, 2015 9:36 pm
Glad you are changing those passwords. Pain but worth the effort.
I see 'LastPass" is available for Google's Chrome browser for free. I need to look more into that.
standready on Thu Nov 05, 2015 2:36 am
It's been interesting going through my accounts and getting LastPass to pick up on the credentials and save the sites in my vault. Some pages it works no problem. Other sites, where the login stuff just pops up on the side it has a little more trouble with. I started this initially on my BlackBerry but it seems that app doesn't sync anywhere... it seems to be just... local. That's annoying since that's my phone and it would be easy to check a password if it actually... worked... Siiigh. I did notice I couldn't just get the app on my iPad. I had to get a 14 day trial and if I wanted to keep using it on the iPad I'd have to go premium. I was thinking of doing that anyway since I need to have easier access to the information.

Side note... I may look at that new BlackBerry that run Android. It's bigger than my current phone but I'd have to see it in person. At least it still has the keyboard... I think I've only had my Classic for... not even a year... 2 year contract up January 2017... think I can make it?
TheGremlyn on Thu Nov 05, 2015 4:36 am
deanhills, you are probably right, but I still think one should never use ones email password on other sites. You never know how long it will take until the password is leaked, or if you can trust the site owner.
Peterssidan on Thu Nov 05, 2015 10:13 am
@peterssidan. You're right of course, except I've got 50 plus e-mail accounts. I have a few passwords that I vary, but it's really tough to keep up.

Btw, it's hilarious. Decided to update some of my WP sites tonight and check on my commercial e-mail accounts, like the more regularly used ones related to my WP sites. I was way behind on one in specific, and woe behold, there was an e-mail from in it. Dated 31 October. Saying they'd been working on the issue since 27 October. A really long e-mail.

At any rate, this particular commercial e-mail account of mine is one of the unique ones where I hadn't changed the password since I started the account in 2009. So of course that was one thing I did tonight, changed the password. Also another good tip is to change the alternate e-mail account (verification e-mail) as well. Yahoo is quite strict with security and picks up on different time zones, so would have asked the person trying to get into my account for verification. So that person would have had to know (a) my verification e-mail as some of the name gets asterisked out, as well as (2) the password of the verification e-mail. I don't think it would have been possible for them to get in even if they tried. Yahoo usually sends a notification if someone gets into the account, so doesn't look as though someone tried to get in. Maybe I've been lucky so far.
deanhills on Fri Nov 06, 2015 1:35 am

© 2005-2011 Frihost, forums powered by phpBB.