000webhost hacked

[SIGSEGV]

Sometimes I wonder how people who host websites can have such bad security

http://www.troyhunt.com/2015/10/breaches-traders-plain-text-passwords.html

Doesn’t look too bad? Let’s take a look at the URL:

http://www.000webhost.com/order.php?domain=&subdomain=sdjflsdhkfhds&name=asdasdf&email=aaaaa@letthemeatspam.com&pass1=ThisIsMyPassword&pass2=ThisIsMyPassword&aggree=yes&error_multiple=&error_domain=&error_subdomain=&error_name=&error_email=&error_pass=2&error_tos=&error_number=&error_js=&error_disposable=1&error_bad_gmail=

Yes, that’s the credentials in the URL of an HTTP address so now it sits in all sorts of logs, browser history and other places which are both obtainable by anyone the traffic passes through and by anyone with access to any of those logs.

I picked several clearly disposable email addresses randomly from the dump and got exactly the same response. The chances of this happening by coincidence are extremely low and the only other explanation that can sometimes come up is that an “attacker” has used an enumeration risk to build up a list of email addresses on the site then faked the other data (i.e. keep hitting a resource that confirms or denies an account exists and steps through a big list of emails to check). It would have been possible to emphatically confirm if the data was legit by actually trying to login with the plain text password, but that wasn’t going to happen as a matter of principle.

Flipping abysmal security. WHY DO COMPANIES STILL INSIST ON STORING PASSWORDS IN PLAIN TEXT!

[Mattch23]

I'll go one further, there's several companies we deal with at work that will send you an e-mail with your plaintext username and password on account creation. 

 

A few of them even go a step further and instead of sending you a reset link if you hit "forgot my password" it'll just re-send the same mail with everything in plain text.

 

Whats worse, these companies handle pretty important data as well *sigh*

[Sidiox]

LOL that is amazing... How can you make such a mistake

[Guest]

I think I had an account with them before realizing their free service isn't very good, any recommendations?

[Mattch23]

LOL that is amazing... How can you make such a mistake

 

Not a mistake, just pure incompetence on their part really

[SIGSEGV]

I think I had an account with them before realizing their free service isn't very good, any recommendations?

Literally just host stuff from home or pay for hosting

[Guest]

Literally just host stuff from home or pay for hosting

I mean about my account. I found hostinger which is pretty good for free hosting

[Bogica]

Literally just host stuff from home or pay for hosting

That.

No other way these days.

A few years back we were doing some job for a power plant, the security check ups were ridiculous when we needed to enter the plant, permits etc.

And when it was all over, one of their managers sent us the power plant blueprints via email with an explanation that it was easier that way... I mean what the hell people... Just dump the security checks, your no. 1 enemy is your own people.

[The Benjamins]

That.

No other way these days.

A few years back we were doing some job for a power plant, the security check ups were ridiculous when we needed to enter the plant, permits etc.

And when it was all over, one of their managers sent us the power plant blueprints via email with an explanation that it was easier that way... I mean what the hell people... Just dump the security checks, your no. 1 enemy is your own people.

 

But it all come from ignorance. I believe most people think computers are powered by magic.

 

people think email is direct person to person.

plain text passwords because i am the only one with "access"

[Beskamir]

I'll go one further, there's several companies we deal with at work that will send you an e-mail with your plaintext username and password on account creation. 

 

A few of them even go a step further and instead of sending you a reset link if you hit "forgot my password" it'll just re-send the same mail with everything in plain text.

 

Whats worse, these companies handle pretty important data as well *sigh*

Yeah when I sign up and get my password emailed to me I instantly change it to "Plain_Text_Passwords_SUCK!!"

[Mattch23]

Yeah when I sign up and get my password emailed to me I instantly change it to "Plain_Text_Passwords_SUCK!!"

 

There's a couple of them that I know will accept a blank password to. Most of them have the usual "Must be more than x Characters etc etc" but if I just change it to NULL then it'll accept it without issue and I can just type my username in with no password and it'll accept it  :rolleyes:

[Bsmith]

Okey, just received a e-mail from them since I apparently made an account there, This mail is not edited, no links and or names added/removed.

The mail is kinda vague and not really helpful if you ask me, since(knowing myself) I the only current trace I have is the e-mail used to make the account, saftey wise it's good, but not really helpful when you need to reset quickly and dont have the time to dig through the whole site.

 

 

Okey, just received a e-mail from them since I apparently made an account there, This mail is not edited, no links and or names added/removed.

    What happened?

    A hacker used an exploit in an old PHP version, that we were using on our website, in order to gain access to our systems. Data that has been stolen includes usernames, passwords, email addresses, IP addresses and names.

    Although the whole database has been compromised, we are mostly concerned about the leaked client information.
    What did we do about it?

    We have been aware of this issue since 27th of October and our team started to troubleshoot and resolve this issue the same day, immediately after becoming aware of this issue.

    In an effort to protect our users we have temporarily blocked access to systems affected by this security flaw. We will re-enable access to the affected systems after an investigation and once all security issues have been resolved. Affected systems include our website and our members area. Additionally we have temporarily blocked FTP access, as FTP passwords have been stolen as well.

    We reseted all users passwords in our systems and increased the level of encryption to prevent such issues in the future.

    We are still working around the clock to identify and eliminate all security flaws. We will get back to providing the free service soon. We are also updating and patching our systems.
    What do you need to do?

    As all the passwords have been changed to random values, you now need to reset them when the service goes live again.
    DO NOT USE YOUR PREVIOUS PASSWORD.
    PLEASE ALSO CHANGE YOUR PASSWORDS IF YOU USED THE SAME PASSWORD FOR OTHER SERVICES.

    We also recommend that you use Two Factor Authentication (TFA) and a different password for every service whenever possible. We can recommend the Authy authenticator app and the LastPass password manager.
    We are sorry

    At 000webhost we are committed to protect user information and our systems. We are sorry and sincerely apologize we didn't manage to live up to that.
    At 000webhost our top priority remains the same - to provide free quality web hosting for everyone. The 000webhost community is a big family, exploring and using the possibilities of the internet together.
    Our leadership team will closely monitor this issue and will do everything possible to earn your trust every day.

    Sincerely,
    000webhost CEO,
    Arnas Stuopelis

[dfsdfgfkjsefoiqzemnd]

I'll go one further, there's several companies we deal with at work that will send you an e-mail with your plaintext username and password on account creation.

 

A few of them even go a step further and instead of sending you a reset link if you hit "forgot my password" it'll just re-send the same mail with everything in plain text.

 

You mean like this?

 

[Mattch23]

You mean like this?

 

LTT_pass.jpg

 

In that case the New password is randomly generated right?

 

I'm talking about when they literally just send you your current password, no changes at all.

[Noctus]

Read that full article, that is atrocious.