000WebHost Security Breach

bdistler

Well-Known Member
Prime Account
Messages
3,534
Reaction score
196
Points
63
000WebHost hasn't made any comment...
they have now - from their Facebook post.......
We have witnessed a database breach on our main server. A hacker used an exploit in old PHP version of the website gaining access to our systems, exposing more than 13.5 Million of our customers' personal records. The stolen data includes usernames, passwords, email addresses, IP addresses and names.......
 

caftpx10

Well-Known Member
Messages
1,534
Reaction score
114
Points
63
Good catch.
I had researched a crazy amount of stuff (mostly from the original article that's very detailed) and currently in the process of getting CF to stop servicing the site that is selling the user credentials in plaintext.


If you had created an account March 2015, earlier, or October 2015 or earlier, then you're affected. If you have deleted your account after or on March 2015 then it's already too late and your information is still there in the dump.
To find out if your data has been dumped during the breach, use this site: https://haveibeenpwned.com
 
Last edited:

bdistler

Well-Known Member
Prime Account
Messages
3,534
Reaction score
196
Points
63
...in the process of getting CF to stop servicing the site that is selling the user credentials in plaintext.
"the site" ? - I know of five points that are selling it.......I am sure there are more

If you had created an account March 2015 or October 2015 or earlier, then you're affected regardless if you have deleted your account after or on March 2015.
forget the dates - if you had or have a account with that host your account information - all of it - is now with the Blackhats
 

caftpx10

Well-Known Member
Messages
1,534
Reaction score
114
Points
63
"the site" ? - I know of five points that are selling it.......I am sure there are more


forget the dates - if you had or have a account with that host your account information - all of it - is now with the Blackhats
1. I'm sure that there's more too, but why not try lowering the amount?

2. That doesn't seem to be the case, according to Troy's article. If you weren't in the first dump and got your account deleted before the second then you wouldn't be on the second one.
 

bdistler

Well-Known Member
Prime Account
Messages
3,534
Reaction score
196
Points
63
That doesn't seem to be the case, according to Troy's article.
Troy Hunt has no way to know when the "first" pull was made - he is assuming the data file - he has - was made from a pull in March 2015 - it is known that pulls were still being made in October 2015
 

caftpx10

Well-Known Member
Messages
1,534
Reaction score
114
Points
63
Troy Hunt has no way to know when the "first" pull was made - he is assuming the data file - he has - was made from a pull in March 2015 - it is known that pulls were still being made in October 2015
But were they any after March and before October?
 

bdistler

Well-Known Member
Prime Account
Messages
3,534
Reaction score
196
Points
63
But were they any after March and before October?
yes - before March 2015 and up into October 2015

BTW looking in my logs - one of my old accounts - on that host - which was deleted in 2012 - is in the data at --> [ https://haveibeenpwned.com/ ]

where is it that Troy Hunt - or anyone else - said there was a breach of that host in October 2015 ? - I can not find anyone (with good credibility) on the Internet that said that
 

caftpx10

Well-Known Member
Messages
1,534
Reaction score
114
Points
63
yes - before March 2015 and up into October 2015

BTW looking in my logs - one of my old accounts - on that host - which was deleted in 2012 - is in the data at --> [ https://haveibeenpwned.com/ ]

where is it that Troy Hunt - or anyone else - said there was a breach of that host in October 2015 ? - I can not find anyone (with good credibility) on the Internet that said that
Well, there's this...
4a8fkJt.png
 

caftpx10

Well-Known Member
Messages
1,534
Reaction score
114
Points
63
your image has a Web address - [ https://archive.is/6g9Aa ] which points to [ http://www.000webhost.com/lol.txt ] which gets sent to [ https://www.000webhost.com/ ] which has note at the top (Read More) that says in part "We have been aware of this issue since 27th of October..." -- nothing is said about a breach in October 2015
You should know 000webhost has been trying to be vague with the details. 'lol.txt' was deleted and so it's getting a HTTP response of 301 resulting in the browser pointing towards that main page.
The screenshot I did is the store that's selling such data.
 

bdistler

Well-Known Member
Prime Account
Messages
3,534
Reaction score
196
Points
63
The screenshot I did is the store that's selling such data.
and that "store" ( I know the URL but not posting it in this forum ) is one of many sites ( i have a long list of them ) that are selling "Combolists" - most of which are by con artist that do not have the datafiles they say they have...

the issue is - I have not found any publicly documented breach of that host in October 2015
 
Last edited:

caftpx10

Well-Known Member
Messages
1,534
Reaction score
114
Points
63
and that "store" ( I know the URL but not posting it in this forum ) is one of many sites ( i have a long list of them ) that are selling "Combolists" - most of which are by con artist that do not have the datafiles they say they have...

the issue is - I have not found any publicly documented breach of that host in October 2015
Unfortunately there are some vague spots as of now.
000webhost should know if their server log had logged the attack and of course the dumper should also know.
Because of the fact that they had been trying to cover it up longer than it had to, I would look around and not just rely on the information they had put out. I mean- they still haven't even explained why they haven't revised their security years ago and why they took so long to disclose the situation publicly.
 

l4w2game

Member
Messages
40
Reaction score
0
Points
6
000webhost are a piece of junk simply made to promote their main service Hosting24 and Hostinger, which the latter blocks all registrations for failing a 'fraud test' (note: 'l4w2-gamers' isn't really a synonym for fraud).

They've been running PHP 5.2 since 2008, no wonder somebody got into it and got everything in plain text.
 

caftpx10

Well-Known Member
Messages
1,534
Reaction score
114
Points
63
The PHP vulnerability could be a lie (even though that wouldn't be a surprise).
They have not taken security seriously for many years, didn't show any care since the first report and they were trying to hide it for a bit.
So, I don't see why I should trust them. Fact is that the data is out and is bound to be abused by one who gets hold of it. Like one could put it out for the public to see.
 
Top