Possibly the most horrifying parts of this situation are:
1. A dump of 000webhost's user database was being circulated and actively exploited for over six months, and they either never realized what was going on, or never took any action. (I'm not even sure which would be worse.)
2. 000webhost made themselves essentially impossible for the author to contact (regarding a very serious security issue!), and still haven't publicly acknowledged the breach, beyond forcing a password reset.
The terrible thing is what have they been doing with people's password :-) if the DBA, some random offshore $1 per hour guy working for this hosting company was able to read the password in plaintext, he/she could have hack the accounts or sold them to people well before the compromise. Do people ever wonder how identity thief can happen? Unsafe transaction leaving greedy and unethical people selling information to organized criminals... no duh.
Like the other commenter said, sadly, 000webhost and many were very popular back in mid 2000s during the Great PHP Frontier goldrush. I had used it, but luckily I was using a ghost email address that couldn't tie back to my real identity, so the best people can do is add that password to a list of known password database.
As much as this whole thing is horrific, to be fair about 1), if a dump doesn't show up in any public forum, pastebin or Tweet, it can be hard to realistically become aware of it.
(and yes, point 2 makes that redundant in this case)
One method that can be used is fake user accounts with simple to break passwords, like 123456. Logins to these fake user id's can alert the system that the user DB has been compromised.
Over a short period, sure. Over a period of six months, though, as the credentials get passed around and used... surely they should have noticed that their customers' sites were getting exploited unusually often, and in ways that couldn't be explained by typical poor security practices?
I've done a lot of work with cheap shared hosting and... I doubt it. Closing a compromised account until it's repaired is something I've done five times in a day, and I stopped investigating after a while because it was absolutely always a Wordpress or Joomla installation that hadn't been updated in five+ years.
I played for a while with sending people warning letters asking them to upgrade known vulnerable versions, and more often than not they would just close their account and move it somewhere they "don't have those issues".
It's easy to be amongst larger application developers and lose track of just how low the bar in the market they are playing in.
A good way of determining how seriously an organization takes security is to look for any kind of security incident report page or security contact info. Bonus points for publishing a GPG key for the security account. Pretend you have a found a security issue in their system and look for how to they want that reported.
Also. Unresponsive companies like this contribute to the volume of people who don't bother with responsible disclosure and just go straight to full disclosure, anonymously or not.
Companies need to see a hit on their bottom line or a breach in their own security before they take it seriously, as has been demonstrated time and again.
That tells me that you've got a security team (even if its one person who wears other hats too), and it implies that anything encrypted with that key will be forwarded to your security team instead of being triaged by front-line support staff.
It definitely lends creedence to your Application Security offering.
Yeah, I don't know what happened. I got those last night and I SSH'd in and there were no problems on our end: Both nginx and php5-fpm were running clean as a whistle, no error log entries, etc. :\
Unfortunately I believe I'm on that list from when I was in middle or high school, dabbling with PHP. I'm certain that I haven't used that password in nearly 10 years (and of course now use a password manager with random passwords for every site), but it still feels terrible anyway that my email and plaintext password are being sold online.
I made a free html&css course some time ago and used 000webhost for the convenience of just zipping and uploading it to make it live. Now I have to dig up their contact to tell them the bad news. 000webhost turned out to be like a bad STD.
They need to work on their security, but I've had three websites up for four years--for free. Never paid a cent.
I don't think another hosting service can beat free.
I did have problems with one site, it was hijacked by someone with a .ru email. I needed to point my name servers elsewhere in order to get my account back. Yes, it was a problem, but their staff was not completely indifferent to my problem. I've experience worse.
I can't knock a free server. If they get their security problems worked out, I would consider paying them, and using them for a site I really cared about.
There are many, way better and almost free alternatives. 3,49 euros/month for unlimited domains in bluehost for example. Free (with other kind of limits) heroku, a YC company. I don't see the price/risk of sites like 000webhost worth it anymore
Some of the ALMOST free alternatives do not get any better. I used lots of free services so that I do not have to concern that my credit card information will be compromised.
For things I need to declare ownership or critical, I turn to the brand well known vendors. Not for the reason that they do very well in security, but they have lots to lose. And they have a office in my jurisdiction I can hunt down.
Prepaid credit cards are a very valuable tool for anyone using the AWS free tier of service. Its an extra layer of protection if you ever do get DDoS'd.
No, I don't care if it means amazon doesn't get paid for the bandwidth consumed by an attack. Sometimes all I care about is not getting a 10k or bigger bill at the end of the month for what was advertised as free. IMO they really need a way of automatically shutting down VMs that go over limit instead of just charging the credit card on file.
Yeah, I understand that it's possible to configure alerts so that you are notified when your account goes overlimit, but for pet projects, I don't want to be notified and expected to respond, I want it to just stop the server. I don't see them ever actually implementing this though because it wouldn't bring in any additional revenue.
I don't see why you couldn't use the cloudwatch metric to just turn off all your instances if you go over budget.
Of course it would require you to set it up, but for the vast majority of companies that are on AWS, if they were to go over their budget, it would be worse to shut down the instances in that case...
Agreed that its hopelessly complex (one reason to just go with Digital Ocean or someone else with a and a pre-paid account billing type). That said: "You can add the stop, terminate, reboot, or recover actions to any alarm that is set on an Amazon EC2 per-instance metric, including basic and detailed monitoring metrics provided by Amazon CloudWatch (in the AWS/EC2 namespace), as well as any custom metrics that include the "InstanceId=" dimension, as long as the InstanceId value refers to a valid running Amazon EC2 instance."
Amazon'll still come after you for the balance, including collections. It's possible to set up billing alerts in CloudWatch - set them up at 50%, 100%, 150% and 200% of average monthly spend and it's hard to get too shocking of a surprise.
I really hate hearing about all these cyber attacks lately. Makes me worried some day the government will force you to get an expensive license to launch a website, maybe even requiring years of mandatory college.
Just a bit scared that someday these irresponsible companies will some day ruin it all for even ones that are responsible such as hashing passwords and other security measures.
Wonder if other Hostinger services were also hacked like YouHosting or Hosting24
"At 000webhost we are committed to protect user information and our systems. We are sorry and sincerely apologize we didn't manage to live up to that."
Being committed to protect user information and saving passwords as plain text are two different things in my opinion, though..
Always exciting to see my home country (Cyprus) mentioned although I'm 90% sure that's just a shell corp and the address is their accountant's/lawyer's office.
1. A dump of 000webhost's user database was being circulated and actively exploited for over six months, and they either never realized what was going on, or never took any action. (I'm not even sure which would be worse.)
2. 000webhost made themselves essentially impossible for the author to contact (regarding a very serious security issue!), and still haven't publicly acknowledged the breach, beyond forcing a password reset.