000Webhost Loses Plaintext Passwords


This comes under the heading of “know who you are doing business with.”  Web hosting company 000webhost.com was breached this week and over 13 million customer records were stolen and posted for sale on the Internet.  The data includes customer names, emails and passwords in plaintext  (meaning the passwords were unencrypted).  Storing passwords in an unencrypted form should be a criminal act in itself, but unfortunately it is not.

000webhost markets itself as a wonderful “free” hosting alternative to the big bad hosting companies you have to pay for.  Here is one of the problems with free – you may not be getting all the features (like secure storage of your personal information) that you expect to get.  The service is currently offline while they try to recover from the situation.  The fact that they are “free” makes me wonder if they have the financial resources to recover and survive.

The way I read it, if you are a customer, your website is down.  If not, it is certainly vulnerable to hijacking or defacement until this issue is resolved.  At some point you will need to change your user credentials.  Frankly, if you are running your business website on this host you should be working on migrating off this clown posse today.

More information:



About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.