Menu
Browse

Cyber Incident Victim: 000Webhost

Date:

Oct 2015

Location:

Lithuania

Summary

A free web hosting service suffered a breach exposing approximately 13.5 million customer credentials stored in plaintext, with compromised data including usernames and passwords. The incident revealed multiple security failures, including unencrypted signup pages transmitting credentials visibly in address bars and outdated forum software with known vulnerabilities. The company initially ignored repeated breach notifications from security researchers and media, though it later silently reset user passwords without direct notifications while deleting social media posts referencing security concerns. Following public exposure, the firm acknowledged unauthorized system access via an exploit in outdated software, temporarily disabled certain functionalities, and initiated password resets with enhanced encryption. Its parent firm apologized for the incident, engaged law enforcement, and claimed premium services remained unaffected while advising customers to change credentials.

CIA Posture Motives Tactics, Techniques & Procedures
Available to members 1 motive 1 technique
Threat Actors Type Location
0 actors Available to members Available to members

Description

In October 2015, an anonymous source contacted cybersecurity researcher Troy Hunt, operator of the breach notification service Have I Been Pwned, claiming possession of a database allegedly belonging to free web hosting provider 000Webhost. The database contained approximately 13.5 million customer records, including usernames and passwords stored in plaintext without encryption. Hunt verified the authenticity of the data by cross-referencing email addresses from the leak with active 000Webhost accounts; automated responses confirmed the addresses were registered, and Hunt successfully reset passwords for accounts matching his own test entries. Five additional users confirmed their credentials matched the leaked data. Hunt and Forbes journalist Thomas Brewster attempted to alert 000Webhost and its parent company Hostinger through multiple channels—online contact forms, phone calls to Lithuanian and Cyprus-based offices, emails to abuse addresses, and LinkedIn messages to Hostinger CEO Arnas Stuopelis—but received no substantive response for several days.

Cyber Incident Image

On October 27, 000Webhost silently reset user passwords without notifying customers, triggering automated security alerts when affected users like Hunt and UK student Lewis Kimber attempted to log in. The company simultaneously disabled FTP server access, citing a "security check" until November 10, while continuing to promote premium Hostinger services. Users reported complaints about the password resets and FTP restrictions on 000Webhost’s forums and Facebook page, where the company deleted posts referencing security issues. Forensic analysis revealed systemic security failures: the 000Webhost forum ran on outdated vBulletin 3.8.2 software (released in 2009), registration pages lacked HTTPS encryption, and credentials appeared unencrypted in website address bars during signup. On October 28, 000Webhost acknowledged the breach via Facebook, attributing it to a hacker exploiting "an old PHP version" to upload malicious files and compromise the main server database. Hostinger’s Stuopelis later confirmed law enforcement involvement, password changes, and system upgrades but asserted Hostinger and Hosting24 services were unaffected. The breach exposed 13,542,675 accounts, with Have I Been Pwned logging 226 million compromised accounts globally by the incident’s disclosure.

Sources
Sources available to members
1 source