Cyber Incident Victim: Hostinger
Date:
Oct 2015
Location:
Lithuania
Summary
A free web hosting service experienced a significant breach where attackers exploited a vulnerability in an outdated PHP version to gain unauthorized access, compromising approximately 13.5 million user credentials including usernames and passwords stored in plaintext. The parent company initially failed to respond to multiple breach notifications but later acknowledged the incident after evidence mounted, resetting passwords without immediate user notification and temporarily disabling FTP access. Security weaknesses included unencrypted data storage, unprotected signup pages, and outdated forum software. The breach prompted internal investigations, planned system upgrades, and cooperation with law enforcement, though the company asserted its premium services remained unaffected.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In October 2015, cybersecurity researcher Troy Hunt received an anonymous tip about a leaked database allegedly belonging to 000Webhost, a free web hosting service owned by Cyprus-based Hostinger. The database contained approximately 13.5 million customer usernames and passwords stored in plaintext, with no evidence of prior public exposure. Hunt verified the authenticity of the data through multiple methods: he confirmed his own email address existed in the database, tested registration attempts that revealed duplicate emails tied to active accounts, and validated password matches with five contacted users. Despite repeated attempts by Hunt and Forbes to alert 000Webhost through online forms, emails, phone calls to Hostinger's Lithuanian office, and LinkedIn messages to CEO Arnas Stuopelis, the company initially provided no substantive response beyond recommending further web form submissions. On October 27, 000Webhost silently reset all user passwords without notifying customers, triggering automated security alerts when affected users like Hunt and UK student Lewis Kimber attempted login. Kimber criticized the company's negligence in storing credentials without encryption, noting this rendered even complex passwords vulnerable. Concurrently, users reported disrupted FTP server access, with a forum announcement attributing this to "security checks" until November 10 while promoting premium upgrades. The company systematically deleted Facebook posts referencing security concerns but left visible queries about the deletions.
The breach's origin remained unclear, though an anonymous source cited a March 2015 attack exploiting compromised admin credentials, while another claimed the database was being sold for $2,000. Forensic analysis revealed multiple security failures: the 000Webhost forum ran on outdated vBulletin 3.8.2 software from 2009, registration pages lacked HTTPS encryption enabling credential interception, and user credentials appeared unencrypted in website address bars during signup. After sustained media pressure, 000Webhost acknowledged the breach via Facebook on October 28, attributing it to a hacker exploiting "an old PHP version" to upload malicious files and access systems. The company stated it removed unauthorized files, changed all passwords with enhanced encryption, and initiated an investigation. Hostinger's CEO Stuopelis later confirmed via LinkedIn that law enforcement had been engaged, FTP access remained blocked during investigation, and only 000Webhost—not Hostinger or Hosting24—was impacted. The admission came after users had already discovered compromised credentials through Hunt's HaveIBeenPwned service, which by then cataloged over 226 million breached accounts. No direct customer notifications were issued beyond password reset prompts and belated public statements, with the company continuing to advertise premium services throughout the incident response period.