A hack of a free web hosting provider has seen millions of user account details offered on the Darkweb.

The hack of 000Webhost, a Lithuanian provider, was discovered by independent security researcher Troy Hunt, best known for running the service Have I been pwned?, who was contacted by an anonymous source who claimed to have a database containing the credentials of 13.5 million 000Webhost users.

Hunt has so far confirmed with five of the people included in the list that it contains the names, passwords, and IP addresses they used to access 000Webhost.

“By now there’s no remaining doubt that the breach is legitimate and that impacted users will have to know,” Hunt wrote in a blog post.

Data included in the breach includes usernames, passwords, email addresses, and IP details.

000Webhost at first refused to publicly admit that it has been hacked, and instead forced users to reset their passwords, but in light of publicity has since confessed, writing on its Facebook page:

We have witnessed a database breach on our main server.

What happened?
A hacker used an exploit in old PHP version to upload some files, gaining access to our systems. Although the whole database has been compromised, we are mostly concerned about the leaked client information.

What did we do about it?
First of all, we removed all illegally uploaded pages as soon as we became aware of the breach. Next, we changed all the passwords and increased their encryption to avoid such mishaps in the future. A thorough investigation to make sure the breach does not exist anymore is in progress.

What do you need to do?
As all the passwords have been changed to random values, you now need to reset them. DO NOT USE YOUR PREVIOUS PASSWORD. PLEASE ALSO CHANGE YOUR PASSWORDS IF YOU USED THE SAME PASSWORD ANYWHERE ELSE.

Expert view

SiliconANGLE spoke to Rapid7 Security Manager Tod Beardsley about the breach, who explained that among other things 000Webhost’s initial non-response was a by-the-numbers “what not to do” cautionary tale about breach notification handling.

“We know that breaches happen, with some regularity, so I don’t blame 000Webhost for getting compromised, but it’s critical that organizations who suffer a compromise communicate effectively, quickly, and directly to their customer base with steps to protect themselves,” Beardsley said. “Given 000Webhost’s position as a top free web hosting provider, there are undoubtedly thousands and thousands of small companies who rely on 000Webhost for their economic viability, and every one of them is now exposed to casual vandalism.”

“Depressingly, every list of “best free web hosting services” I could find, including the Wikipedia comparison page lacks any sort of security criteria that people can use to make informed choices… Feature sets and usability are important, to be sure, but regular security patching, public audit records, and a statement of intent of how breaches are handled are crucially important to protect users’ data, not to mention the downstream customers data.”

If you happen to be a 000Webhost customer and haven’t reset your password yet, do so as quickly as possible.

Image credit: lachlanhardy/Flickr/CC by 2.0