Information on nearly 14 million users of 000webhost, a Lithuanian web hosting service, was spilled earlier this year when a hacker exploited an old version of the company’s website and gained access to the backend.
13.5 million customer usernames, plaintext passwords, email addresses, IP addresses, and names were exposed as part of the breach, according to a Facebook post from the company Thursday morning.
000webhost first disclosed the breach Wednesday morning in a preceding Facebook post but was hazy with details, claiming that at some point a hacker leveraged an exploit on an old PHP version of the company’s site and uploaded some files.
“Although the whole database has been compromised, we are mostly concerned about the leaked client information,” the company wrote, adding that since it discovered the issue, its reset user passwords, and is cautioning any users who used the same password on another service to change it.
The company claims its launched an investigation into the breach, but fails to give a timeline, or mention whether its involved law enforcement.
Paradoxically, 000webhost claims its customers’ sites will stay online during the ensuing investigation, but also says that it has temporarily disabled most of its systems while it sorts through issues.
“In an effort to protect our users we have temporarily blocked all access to systems affected by this security flaw. We will re-enable access to affected systems after an investigation and once all security issues have been resolved,” the post reads.
The company is stressing that sister companies Hosting24 and Hostinger, both which appear to be based in Cyprus, are not affected by the breach.
Troy Hunt, Microsoft’s MVP for Developer Security, who also runs the site Have I Been Pwned? learned of the breach late last week after a reader messaged him, and decided to do some research of his own into the hack.
After poking around the site a bit, Hunt discovered the site was storing users’ passwords in plaintext and by looking at the leaked database was also able to verify the email addresses and corresponding information was legitimate.
While 000webhost says it discovered the issue on Tuesday, Hunt claims he tried to contact the company about the breach a week ago, on October 22. One person even contacted him and told him the database was likely dumped back in March, nearly seven months ago.