Free web hosting firm 000Webhost has blamed an exploit in an old PHP version of its website for exposing 13.5 million customers’ details to hackers.
In addition to failing to ensure that only the latest, most secure versions of software were used for its website, the company also failed to protect customer data and encrypt passwords.
Worse still, the data breach happened around five months ago, according to security researcher Troy Hunter, who first reported the breach in a blog post.
The data, which includes customer names, emails and plaintext passwords, has reportedly been put up for sale on underground markets, giving cyber criminals a big lead.
It is this kind of breach that enables cyber criminals to test usernames and passwords against other sites, which is possibly how hackers gained access to thousands of British Gas and Vodafone accounts.
Hunter, who runs an identity theft service called Have I Been Pwned, said he was tipped off about the breach by an anonymous source.
According to Hunter, 000Webhost has never responded to or acknowledged his warnings or contacted affected customers directly.
However, in a notice published on the company’s Facebook page on 29 October, 000Webhost said it became aware of the issue on the 27th of October, when it started working to resolve the issue.
The company said the stolen data included usernames, passwords, email addresses, IP addresses and names, but did spell out that the passwords were not encrypted.
“We are still working 24/7 to identify and eliminate all security flaws,” said 000Webhost, adding that it had reset all users’ passwords and removed “illegally uploaded” pages.
000Webhost also advised all customers to change their passwords and use different passwords for other services.
Independent security consultant Graham Cluley described the lack of encryption “reckless”.
“One has to assume that words such as hashing, salting and encryption are not in their dictionary,” he wrote in a blog post.
Salting refers to the process of adding random nonsense to the password text so that even if two users pick the same password, their password representations end up different. Hashing refers to scrambling the salted password cryptographically.