
Breaches, traders, plain text passwords, ethical disclosure and 000webhost - franciscop
http://www.troyhunt.com/2015/10/breaches-traders-plain-text-passwords.html?m=1
======
duskwuff
Possibly the most horrifying parts of this situation are:

1\. A dump of 000webhost's user database was being circulated and actively
exploited for _over six months_ , and they either never realized what was
going on, or never took any action. (I'm not even sure which would be worse.)

2\. 000webhost made themselves essentially impossible for the author to
contact (regarding a very serious security issue!), and _still_ haven't
publicly acknowledged the breach, beyond forcing a password reset.

~~~
technion
As much as this whole thing is horrific, to be fair about 1), if a dump
doesn't show up in any public forum, pastebin or Tweet, it can be hard to
realistically become aware of it.

(and yes, point 2 makes that redundant in this case)

~~~
duskwuff
Over a short period, sure. Over a period of six months, though, as the
credentials get passed around and used... _surely_ they should have noticed
that their customers' sites were getting exploited unusually often, and in
ways that couldn't be explained by typical poor security practices?

~~~
technion
I've done a lot of work with cheap shared hosting and... I doubt it. Closing a
compromised account until it's repaired is something I've done five times in a
day, and I stopped investigating after a while because it was absolutely
always a Wordpress or Joomla installation that hadn't been updated in five+
years.

I played for a while with sending people warning letters asking them to
upgrade known vulnerable versions, and more often than not they would just
close their account and move it somewhere they "don't have those issues".

It's easy to be amongst larger application developers and lose track of just
how low the bar in the market they are playing in.

------
click170
A good way of determining how seriously an organization takes security is to
look for any kind of security incident report page or security contact info.
Bonus points for publishing a GPG key for the security account. Pretend you
have a found a security issue in their system and look for how to they want
that reported.

Also. Unresponsive companies like this contribute to the volume of people who
don't bother with responsible disclosure and just go straight to full
disclosure, anonymously or not.

Companies need to see a hit on their bottom line or a breach in their own
security before they take it seriously, as has been demonstrated time and
again.

~~~
sarciszewski
Are we doing it right?
[https://paragonie.com/contact](https://paragonie.com/contact) :)

~~~
jessaustin
I'm getting a 502 from CloudFlare, so maybe not?

~~~
sarciszewski
Yeah, I don't know what happened. I got those last night and I SSH'd in and
there were no problems on our end: Both nginx and php5-fpm were running clean
as a whistle, no error log entries, etc. :\

------
mfkp
Wow, terrible response.

Unfortunately I believe I'm on that list from when I was in middle or high
school, dabbling with PHP. I'm certain that I haven't used that password in
nearly 10 years (and of course now use a password manager with random
passwords for every site), but it still feels terrible anyway that my email
and plaintext password are being sold online.

~~~
simcop2387
You can confirm now via the service troy runs:
[https://haveibeenpwned.com/](https://haveibeenpwned.com/)

------
tptacek
To a first approximation: _all_ of these no-name hosting services are owned
up. Do not use mom-and-pop hosting providers.

~~~
cpayne
I agree. I am constantly surprised when people have the concept of _free_

They will happily pay $50 - $200 for drinks on the weekend, but when something
hosting comes up, there's a perception that it "should" be free.

At the end of the day, we all pay. It's just a question of how much...

------
franciscop
I made a free html&css course some time ago and used 000webhost for the
convenience of just zipping and uploading it to make it live. Now I have to
dig up their contact to tell them the bad news. 000webhost turned out to be
like a bad STD.

------
marincounty
They need to work on their security, but I've had three websites up for four
years--for free. Never paid a cent. I don't think another hosting service can
beat free.

I did have problems with one site, it was hijacked by someone with a .ru
email. I needed to point my name servers elsewhere in order to get my account
back. Yes, it was a problem, but their staff was not completely indifferent to
my problem. I've experience worse.

I can't knock a free server. If they get their security problems worked out, I
would consider paying them, and using them for a site I really cared about.

~~~
yeukhon
AWS has a free tier as long as you don't go over limit. But obviously if you
get DDoS, then your bill can go up.

Digital Ocean is a good one for $5 and pretty stable for me. If all you need
is a static site, use github.

~~~
click170
Prepaid credit cards are a very valuable tool for anyone using the AWS free
tier of service. Its an extra layer of protection if you ever do get DDoS'd.

No, I don't care if it means amazon doesn't get paid for the bandwidth
consumed by an attack. Sometimes all I care about is not getting a 10k or
bigger bill at the end of the month for what was advertised as free. IMO they
really need a way of automatically shutting down VMs that go over limit
instead of just charging the credit card on file.

~~~
voltagex_
If it's your personal project, shove CloudFlare in front of the AWS site.

Also, they have
[http://docs.aws.amazon.com/AmazonCloudWatch/latest/Developer...](http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/UsingAlarmActions.html)
but like a lot of things with AWS, it's ridiculously complex.

~~~
click170
Yeah, I understand that it's possible to configure alerts so that you are
notified when your account goes overlimit, but for pet projects, I don't want
to be notified and expected to respond, I want it to just stop the server. I
don't see them ever actually implementing this though because it wouldn't
bring in any additional revenue.

~~~
redbeard0x0a
I don't see why you couldn't use the cloudwatch metric to just turn off all
your instances if you go over budget.

Of course it would require you to set it up, but for the vast majority of
companies that are on AWS, if they were to go over their budget, it would be
worse to shut down the instances in that case...

------
8ig8
This guy on Reddit also noticed a security issue years ago...

[http://www.reddit.com/r/netsec/comments/3qqo79/000webhost_da...](http://www.reddit.com/r/netsec/comments/3qqo79/000webhost_data_breach_13m_passwords_disclosed/cwhmsd9)

------
marak830
Jesus. Thanks for the heads up. I was with these guys last month, now im on
their paid service. Great.

~~~
franciscop
Then you _might_ be lucky since the breach was 7 months ago (yikes)

~~~
marak830
It reports im included. I think the account was really old, im going to
migrate to a new host this weekend. Shit.

Anyone got a good host they use? Lol. There goes my weekend. Daaaaamnit!

~~~
voltagex_
DigitalOcean or AWS, GitHub or NeoCities for static stuff.

------
Keverw
I really hate hearing about all these cyber attacks lately. Makes me worried
some day the government will force you to get an expensive license to launch a
website, maybe even requiring years of mandatory college.

Just a bit scared that someday these irresponsible companies will some day
ruin it all for even ones that are responsible such as hashing passwords and
other security measures.

Wonder if other Hostinger services were also hacked like YouHosting or
Hosting24

------
TheLML
Just got an e-mail from them about the breach.

"At 000webhost we are committed to protect user information and our systems.
We are sorry and sincerely apologize we didn't manage to live up to that."

Being committed to protect user information and saving passwords as plain text
are two different things in my opinion, though..

------
papercruncher
Always exciting to see my home country (Cyprus) mentioned although I'm 90%
sure that's just a shell corp and the address is their accountant's/lawyer's
office.

------
JorgeGT
Damn, one of my old accounts got compromised. Thanks for reporting, no
communication received from 000webhost at all about this issue.

