NEWS: 000webhost Breach

  • (2 Pages)
  • +
  • 1
  • 2

21 Replies - 939 Views - Last Post: 02 November 2015 - 11:03 AM Rate Topic: -----

#1 JackOfAllTrades  Icon User is offline

  • Saucy!
  • member icon

Reputation: 6236
  • View blog
  • Posts: 24,001
  • Joined: 23-August 08

NEWS: 000webhost Breach

Posted 28 October 2015 - 10:46 AM

I know a lot of people who come through here use the fly-by-night free hosting at 000webhost.

Well, apparently those sites were likely put up by n00bs just like you, because their database -- WITH PLAINTEXT PASSWORDS -- has been breached: http://www.troyhunt....-passwords.html

You truly get what you pay for.

Is This A Good Question/Topic? 4
  • +

Replies To: NEWS: 000webhost Breach

#2 no2pencil  Icon User is offline

  • Professor Snuggly Pants
  • member icon

Reputation: 6179
  • View blog
  • Posts: 29,756
  • Joined: 10-May 07

Re: NEWS: 000webhost Breach

Posted 28 October 2015 - 11:05 AM

After having read that article... wow, those guys suck.
Was This Post Helpful? 0
  • +
  • -

#3 modi123_1  Icon User is online

  • Suitor #2
  • member icon



Reputation: 11513
  • View blog
  • Posts: 45,436
  • Joined: 12-June 08

Re: NEWS: 000webhost Breach

Posted 28 October 2015 - 11:08 AM

All the company websites I have built over the years are gone! NOOOOOOOOOOOOOO!!!!!!

Posted Image
just kidding, but I think someone is yelling that right now.
Was This Post Helpful? 0
  • +
  • -

#4 Ryano121  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 1457
  • Posts: 3,282
  • Joined: 30-January 11

Re: NEWS: 000webhost Breach

Posted 28 October 2015 - 11:11 AM

Wow, that's quite the operation they've got going on there.
Was This Post Helpful? 0
  • +
  • -

#5 ArtificialSoldier  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 1174
  • View blog
  • Posts: 4,230
  • Joined: 15-January 14

Re: NEWS: 000webhost Breach

Posted 28 October 2015 - 12:08 PM

I think they just set a new low bar for the worst response to a breach. Their acknowledgement of the attack (on Facebook, not direct to any customer) is absolutely cringe-worthy to the point that I would actually feel bad for them if they weren't so incompetent.

Quote

We have witnessed a database breach on our main server.

What happened?
A hacker used an exploit in old PHP version to upload some files, gaining access to our systems. Although the whole database has been compromised, we are mostly concerned about the leaked client information.

What did we do about it?
First of all, we removed all illegally uploaded pages as soon as we became aware of the breach. Next, we changed all the passwords and increased their encryption to avoid such mishaps in the future. A thorough investigation to make sure the breach does not exist anymore is in progress.

What do you need to do?
As all the passwords have been changed to random values, you now need to reset them. DO NOT USE YOUR PREVIOUS PASSWORD. PLEASE ALSO CHANGE YOUR PASSWORDS IF YOU USED THE SAME PASSWORD ANYWHERE ELSE.

Client Area Password
Please visit Password Reminder tool at http://members.000we...ot_password.php and enter your email address, the new password will be sent to your email. Afterwards, login to your account with the new password and manually set a new, secure password at http://members.000we...our_details.php

Hosting Account Password
To reset the password for your hosting account (and FTP), visit "Change Account Password" section on control panel and enter a new password there.

Email Account Password
Email account passwords should be changed by visiting "Manage Email Accounts" section and clicking "Change password" for each email account.

MySQL User (Database) Password
MySQL user passwords are managed in "MySQL" section on control panel. In the "Action" field click the "Change Password" and set a new password there.

We apologize for this hassle but it has to be done to ensure your data is safe. We are going to upgrade our systems step by step and will be aiming to be super-careful in future.
Regards
000webhost Team


It's staggering. Registration forms submitted over HTTP using GET instead of POST, login forms over HTTP, plain-text passwords, old vulnerable PHP versions and scripts, their forum software is 6 years old, etc. Their immediate response (by immediate I mean "5 months after the breach") involved deleting the shell scripts that got uploaded, turning off FTP access completely, changing everyone's passwords, and apparently "increasing their encryption" from plaintext to hopefully not plaintext. Perhaps they've discovered ROT13, or maybe MD5. Apparently someone shelled and backdoored their server, possibly after gaining the credentials of an admin. If that 6 year old version of vBulletin was breached first then that sounds like a fantastic place to look for admin credentials.

But, hey, at least they are "aiming to be super-careful in future".

If you go to https://haveibeenpwned.com, you'll notice that this breach is the third-largest in his database, behind Adobe and Ashley Madison.

Who wants to place bets on which PHP MySQL API they were using?
Was This Post Helpful? 0
  • +
  • -

#6 no2pencil  Icon User is offline

  • Professor Snuggly Pants
  • member icon

Reputation: 6179
  • View blog
  • Posts: 29,756
  • Joined: 10-May 07

Re: NEWS: 000webhost Breach

Posted 28 October 2015 - 12:10 PM

On a related note, now that the Cybersecurity Information Sharing Act passed Senate (by a 74-21 vote), 000webhost can be excluded from customer prosecution as long as they hand over the 13+ million usernames, passwords, emails, & so on & so forth to the NSA. That'll stop those hackers...
Was This Post Helpful? 0
  • +
  • -

#7 Atli  Icon User is offline

  • Enhance Your Calm
  • member icon

Reputation: 3975
  • View blog
  • Posts: 6,720
  • Joined: 08-June 10

Re: NEWS: 000webhost Breach

Posted 28 October 2015 - 01:00 PM

According to the linked article, it's a UK based company. Don't really think US laws apply. (Nice segue though :))

On the other hand, I don't doubt that the NSA was first in line to fork out $2K for the data dump.
Was This Post Helpful? 0
  • +
  • -

#8 no2pencil  Icon User is offline

  • Professor Snuggly Pants
  • member icon

Reputation: 6179
  • View blog
  • Posts: 29,756
  • Joined: 10-May 07

Re: NEWS: 000webhost Breach

Posted 28 October 2015 - 01:09 PM

View PostAtli, on 28 October 2015 - 04:00 PM, said:

On the other hand, I don't doubt that the NSA was first in line to fork out $2K for the data dump.

Being that it was a security vulnerability due to out of date php files, & passwords stored in plaintext, the NSA has likely already had that data for a long time.
Was This Post Helpful? 0
  • +
  • -

#9 Atli  Icon User is offline

  • Enhance Your Calm
  • member icon

Reputation: 3975
  • View blog
  • Posts: 6,720
  • Joined: 08-June 10

Re: NEWS: 000webhost Breach

Posted 28 October 2015 - 01:26 PM

Good point. May have even had it all as the accounts were created, as it was all done through non-secured HTTP requests.
Was This Post Helpful? 0
  • +
  • -

#10 Ryano121  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 1457
  • Posts: 3,282
  • Joined: 30-January 11

Re: NEWS: 000webhost Breach

Posted 29 October 2015 - 08:06 AM

Got me thinking though isn't DIC also done through non-secured HTTP?
Was This Post Helpful? 0
  • +
  • -

#11 CTphpnwb  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 3463
  • View blog
  • Posts: 12,311
  • Joined: 08-August 08

Re: NEWS: 000webhost Breach

Posted 29 October 2015 - 08:18 AM

View PostArtificialSoldier, on 28 October 2015 - 03:08 PM, said:

Who wants to place bets on which PHP MySQL API they were using?

Yet another example of why its so important to be rid of this API ASAP. The first step in that direction is to withhold help for anyone using it.
Was This Post Helpful? 0
  • +
  • -

#12 chris98  Icon User is offline

  • D.I.C Lover

Reputation: 39
  • View blog
  • Posts: 1,065
  • Joined: 06-July 13

Re: NEWS: 000webhost Breach

Posted 01 November 2015 - 05:53 AM

Quote

I think they just set a new low bar for the worst response to a breach. Their acknowledgement of the attack (on Facebook, not direct to any customer) is absolutely cringe-worthy to the point that I would actually feel bad for them if they weren't so incompetent.


The worst part and particularly ironic is that about ten days before the hack I told them the PHP version they were using is stupidly insecure. I can no longer access the ticket area as they pulled it offline. But here is the transcript:

Quote

Me: Do you have servers where the PHP version is 5.3.0 or newer?


Quote

Them:
Hello,

PHP can be updated only with a premium account. You can upgrade at http://000webhost.com/upgrade/

Very Truly Yours,
Helpdesk Staff
www.000webhost.com


Quote

Me:
You do know there are some serious security vulnerabilities with PHP 5.2 that won't be fixed, right?


Quote

Them: Hello,

PHP 5.2.17 is offer on 000webhost and if you need PHP 5.3 or above you need to upgrade to paid hosting.

There is no plan to upgrade at the moment



Best Wishes,
Chanh | http://ongetc.com/

Volunteer Staff
www.000webhost.com


I'm not really surprised to be honest they were also using PHP 5.2.17. And hosting24, the commercial version of their site also uses deprecated MySQL functions (I've seen proof with my own eyes), and from what I could tell when I used them a year ago, plain text passwords as well. They certainly didn't hash your password in the cookie for their members area - which shouldn't have even been there in the first place ....

And in answer to CTphpnwb, yes - they are still using MySQL functions. And both hosting24 and 000webhost both use $_REQUEST too.

This post has been edited by chris98: 01 November 2015 - 05:55 AM

Was This Post Helpful? 0
  • +
  • -

#13 Ryano121  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 1457
  • Posts: 3,282
  • Joined: 30-January 11

Re: NEWS: 000webhost Breach

Posted 01 November 2015 - 05:55 AM

They also seem to have been able to cover it up pretty well unfortunately. I haven't seen much press attention at all about this :/
Was This Post Helpful? 0
  • +
  • -

#14 no2pencil  Icon User is offline

  • Professor Snuggly Pants
  • member icon

Reputation: 6179
  • View blog
  • Posts: 29,756
  • Joined: 10-May 07

Re: NEWS: 000webhost Breach

Posted 01 November 2015 - 08:06 AM

I wouldn't expect any news coverage of this. It's a technical issue that effected technical users with no impact to celebrities or politicians.
Was This Post Helpful? 0
  • +
  • -

#15 CTphpnwb  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 3463
  • View blog
  • Posts: 12,311
  • Joined: 08-August 08

Re: NEWS: 000webhost Breach

Posted 01 November 2015 - 12:19 PM

View Postchris98, on 01 November 2015 - 08:53 AM, said:

I'm not really surprised to be honest they were also using PHP 5.2.17. And hosting24, the commercial version of their site also uses deprecated MySQL functions (I've seen proof with my own eyes), and from what I could tell when I used them a year ago, plain text passwords as well. They certainly didn't hash your password in the cookie for their members area - which shouldn't have even been there in the first place ....

And in answer to CTphpnwb, yes - they are still using MySQL functions. And both hosting24 and 000webhost both use $_REQUEST too.

This is a very common business practice in the U.S. (at least) and I think it's a big part of our economic problems. Businesses routinely make decisions based on the very short-term (this quarter or less) and discount the long term risks, so we're constantly dealing with bad decisions made a long time ago by people who took their bonuses and moved on before the shit hit the fan.

My argument is that developers should not present as options anything as risky as leaving in place code that's been deprecated because of its insecurity for over a decade! So for example, I'm saying that I wouldn't tell a manager that the MySQL extension is available, or if he/she were aware that it was (say because the current code used it) I would make it clear that the risk of a breach is very high! The fact is that it is so high that it's just a matter of time before it happens. It's not a question of "if" it happens.
Was This Post Helpful? 0
  • +
  • -

  • (2 Pages)
  • +
  • 1
  • 2