Sometimes you really do get what you pay for—so what does that say about free web hosting options? The company 000Webhost certainly isn’t unique in offering free basic shared hosting options, but what does (unfortunately) set them apart now is the major data leak they experienced in November 2015. Ars Technica reports that 000Webhost was severely hacked and up to 13.5 million passwords, names, and IP addresses got into the wrong hands. It’s important to point out that these passwords were plain text passwords (similar to what you probably use).
Troy Hunt, a security researcher and owner of the blog “Have I been pwned” was one of the first to get tipped off about the hack. Not only did the hacker get those millions of passwords, he or she then dumped the data online. Forbes picked up the story, covering Hunt’s investigation. It’s reported that Hunt spoke one on one with five 000Webhost customers, who confirmed their leaked passwords were correct. Worse, Hunt even found his own email address in the leaked data dump.
What makes matters worse is that Hunt has never been a 000Webhost user.
Much like the Ashley Madison leak, Hunt assumes that somebody had registered an account in his name. However, what that really highlights is that the web host does zero validation regarding emails (and likely anything else). Hunt was able to overtake the account by resetting “his” password. During this debacle, Hunt reports that getting ahold of 000Webhost was impossible—and that’s his job! The odds of the average user getting in touch with the web host are likely even slimmer. However, he did note that the web host reset all user passwords after the hack.
According to Hunt, “There’s only one good reason why an organization does that, and that’s because they believe all the passwords have been compromised.” It was the first tip that the web host was completely breached. However, it’s a Band-Aid approach that does nothing. The data that was leaked is still leaked. 000Webhost did not email customers explaining the breach, what happened, how it happened, or how to prevent it in the future. They were simply notified of a password reset.
Lack of Communication
Just like with any relationship, lack of communication can be a killer. 000Webhost did finally address the attack on social media, but not until four days after the breach happened. It was an attempt at cleaning up a serious mess, and one that the web host didn’t do correctly.
If you’re a 000Webhost user, reset your passwords (again), as this is sure to put you in control. Never use old passwords and don’t repeat this password anywhere else. That’s the direction 000Webhost offers, but it’s too little too late. Alternatively, many users have ditched their host and are looking for new options. Some are picking up on the benefits of virtual private server/VPS hosting, which offers better security, speed, and often better customer service. It may cost a few dollars per month, but it’s well worth it when considering the lack of security with some free options.