13 Million Passwords Leaked - 000WebHost

deadbeef

@MeAtExampleDotCom said:
IMO basic security is an absolute requirement not a recommendation, so this is a "due diligence" and "duty of care" issue.

Well, that's just your opinion.

Insufficient security is potentially putting your users, and in some circumstances the general public, at unnecessary risk in the name of cutting your own costs.

Higher costs, fewer people able to access a service. By imposing artificial restraints, all you do is block poorer people from having access to the services.

If people care about security, they act upon it. They take their own measures and they deal with companies they deem trustworthy. Wherever there is demand for security, there are investments in it.

We want bankers properly punished for putting our money at unnecessary risk for their own gain

You are confusing cause and effect.

GM2015

They've suspended the refer a friend program and https://spideroak.com/privacypost/register redirects elsewhere. You can now only register for their passion it seems.

I'd given you a referral otherwise. How about hubic?

For hubic, try https://hubic.com/home/new/?referral=DHJMVU or https://hubic.com/home/new/?referral=WVUAXA or https://hubic.com/home/new/?referral=nekki or https://hubic.com/home/new/?referral=georgecarlin or https://hubic.com/home/new/?referral=gimmefreeplatzen or https://hubic.com/home/new/?referral=whtsucks

drazilox said: Looks like SpiderOak in Switzerland. Cool. It seems like only thing you can get for free is 14 or 30 day trial, which kinda sucks. I'd be happy even with 1GB. Do you have an ability to invite or something, that could possibly give a permanent free account?

deadbeef

@drazilox said:
Looks like SpiderOak in Switzerland. Cool. It seems like only thing you can get for free is 14 or 30 day trial, which kinda sucks. I'd be happy even with 1GB. Do you have an ability to invite or something, that could possibly give a permanent free account?

How could you miss the free plan on their site?

drazilox

@deadbeef said:
How could you miss the free plan on their site?

Fucking what? Every link seems to go to the free trials. I feel like I'm blind now. Could you, maybe, link it to me :P

EDIT: OH! Now I found it. It's not super obvious though, which kinda makes sense, since they want people to pay. Oh man.

GM2015 said: They've suspended the refer a friend program and https://spideroak.com/privacypost/register redirects elsewhere. You can now only register for their passion it seems.

I was talking about tresorit. SpiderOak still gives 2GB free, which I'm very happy with.

GM2015 said: How about hubic?

Thanks but no thanks. I'll use SpiderOak and maybe tresorit for all the important stuff, like KeePass database and some important notes, and everything else I can host elsewhere.

Nekki

@drazilox said:
Looks like SpiderOak in Switzerland. Cool. It seems like only thing you can get for free is 14 or 30 day trial, which kinda sucks. I'd be happy even with 1GB.

There's a free plan with 2GB data, so on that point alone I'd recommend Tresorit and you can get more than double the data for free. SpiderOak are a US-based company is what I meant, I've not investigated where the data is physically held.

GM2015

It's 3GB if I'm not on the wrong page. Though 1gb isn't that a big change. https://tresorit.com/pricing/basic

Nekki said: There's a free plan with 2GB data, so on that point alone I'd recommend Tresorit and you can get more than double the data for free. SpiderOak are a US-based company is what I meant, I've not investigated where the data is physically held.

drazilox

Nekki said: There's a free plan with 2GB data, so on that point alone I'd recommend Tresorit and you can get more than double the data for free. SpiderOak are a US-based company is what I meant, I've not investigated where the data is physically held.

I would guess it's hosted in US, although I'm not sure. One big minus on tresorit is 3 device limit, but I'm guessing that I can always access the data from the web interface, when using that fourth device.

GM2015 said: It's 3GB if I'm not on the wrong page. Though 1gb isn't that a big change.

Yep, it's 3 GB, and you can get 2 GB bonus if you do these steps: http://i.imgur.com/VQbExOr.png, so in total you can have 5 GB for free.

GM2015

I will register an account with virtual box. Thanks.

drazilox said: Yep, it's 3 GB, and you can get 2 GB bonus if you do these steps: http://i.imgur.com/VQbExOr.png, so in total you can have 5 GB for free.

4n0nx

GM2015 said: Is the site maintainer selling those emails?

> implying he isn't

joepie91

000webhost said: At Hostinger and 000webhost we are committed to protect user information and our systems. We are sorry and sincerely apologize we didn't manage to live up to that.

Oh, come on. Stop lying. Nobody here believes your fairytales, and posting standard PR agency drivel is certainly not going to do anything for your cause.

If you cared so much about user information and your systems, you'd have had a proper security policy in place from the start. You haven't invested any effort into your security, and now that you've been caught red-handed, you're trying to convince everybody that it was "an unfortunate mistake", and that you honestly care.

Please, just fuck off, until you own up to what you've done and genuinely change things - from your systems down to your security process and handling of security reports.

We will fully cooperate with law enforcement authorities once our internal investigation has been completed.

As if that fucking matters. Law enforcement will not secure your servers, will not save your users, and will certainly not prevent this from happening in the future.

Stop trying to point blame. You are responsible for this breach. Not somebody else.

We became aware of this issue on the 27th of October and since then our team started to troubleshoot and resolve this issue immediately.

Bullshit.

000webhost said: Additionally we are going to upgrade our systems in a close future.

Too late. And it doesn't fix the problem, because the problem is you - not your systems.

Scumbags.

GM2015

He seemed like a nice guy on a link Sven/joepie posted, but appearances more than often deceive. Plus, he's got multiple huge lists that people sell like crazy.

4n0nx said: implying he isn't

singsing

joepie91 said: Stop trying to point blame. You are responsible for this breach. Not somebody else.

Meh, I think at least part of the blame should be assigned to the hackers who actually broke in and collected the data.

ricardo

Meh, I think at least part of the blame should be assigned to the hackers who actually broke in and collected the data.

Nah. With that kind of logic we could do away with armies, burglar alarms, locks, keys etc. But due to the ol' occasion where a man (or woman) turns into an opportunist, common sense and society suggests things need to be taken care of in a certain way.

colingpt

@Ole_Juul said:
If you have nothing to hide, you don't need passwords.

Totally don't disagree. you may check this video on TED for a fair point.

Ole_Juul

@colingpt said:

Thanks. I just watched it. Greenwald is remarkably clear on this concept.

emg

@deadbeef said: You don't need a friend for your "holy shit" scenario - instead use this: https://spideroak.com

>

All you need to remember is a single password and you're set. No need to rely on anyone this way.

Sorry, but it seems that you missed the point. All I said was:

• You need to backup the encrypted random password data that the password manager stores for you.

If your one-and-only copy gets lost or destroyed, a backup is important, because there is no easy way to recover otherwise. There are many ways to backup your password manager data. SpiderOak is a fine solution and everyone appreciates your recommendation.

• If you have any legacy to leave behind in the event you are incapacitated or die, you should consider how you will arrange to do it.

Again, there are lots of possible solutions. You could leave instructions in a sealed envelope with a trusted friend. If something were to happen to me, I have made arrangements so that my family can quickly get access to banking, bill payment, and other important accounts and information.

colingpt

@Ole_Juul said:

Just notice what I wrote... "don't disagree", lol, have fun XD

Hybrid

Just got this by email.

What happened?

A hacker used an exploit in an old PHP version, that we were using on our website, in order to gain access to our systems. Data that has been stolen includes usernames, passwords, email addresses, IP addresses and names.

Although the whole database has been compromised, we are mostly concerned about the leaked client information.
What did we do about it?

We have been aware of this issue since 27th of October and our team started to troubleshoot and resolve this issue the same day, immediately after becoming aware of this issue.

In an effort to protect our users we have temporarily blocked access to systems affected by this security flaw. We will re-enable access to the affected systems after an investigation and once all security issues have been resolved. Affected systems include our website and our members area. Additionally we have temporarily blocked FTP access, as FTP passwords have been stolen as well.

We reseted all users passwords in our systems and increased the level of encryption to prevent such issues in the future.

We are still working around the clock to identify and eliminate all security flaws. We will get back to providing the free service soon. We are also updating and patching our systems.
What do you need to do?

As all the passwords have been changed to random values, you now need to reset them when the service goes live again.
DO NOT USE YOUR PREVIOUS PASSWORD.
PLEASE ALSO CHANGE YOUR PASSWORDS IF YOU USED THE SAME PASSWORD FOR OTHER SERVICES.

We also recommend that you use Two Factor Authentication (TFA) and a different password for every service whenever possible. We can recommend the Authy authenticator app and the LastPass password manager.
We are sorry

At 000webhost we are committed to protect user information and our systems. We are sorry and sincerely apologize we didn't manage to live up to that.
At 000webhost our top priority remains the same - to provide free quality web hosting for everyone. The 000webhost community is a big family, exploring and using the possibilities of the internet together.
Our leadership team will closely monitor this issue and will do everything possible to earn your trust every day.

Sincerely,
000webhost CEO,
Arnas Stuopelis

joepie91

@singsing said:
Meh, I think at least part of the blame should be assigned to the hackers who actually broke in and collected the data.

That part is so statistically insignificant at this point, that it might as well not exist. This is some serious negligence on 000webhost's side. Far beyond your typical breach.

varwww

Whoever has access to all those plaintext passwords can make the ultimate Rainbow table

shovenose

Any reviews on lastpass?

GM2015

I bet your execs got their passwords from this list:

http://www.zdnet.com/article/all-the-best-knuckleheads-writing-the-worst-passwords/

Very creative in PR, sir.

http://www.thewhir.com/web-hosting-news/free-web-host-000webhost-hacked-13-5-million-customer-passwords-stolen#comment-2719926

https://theadminzone.com/threads/000webhost-hacked-13-million-accounts-passwords-dumped.136922/#post-1016973

https://www.facebook.com/000webhost.Global/

https://threatpost.com/web-hosting-service-000webhost-hacked-information-of-13-million-leaked/115200/#li-comment-512847

http://www.wilderssecurity.com/threads/hackers-put-up-for-sale-13-million-plaintext-passwords-stolen-from-000webhost.381044/#post-2538402

000webhost said: Hello, guys,

CFarence

@shovenose said:
Any reviews on lastpass?

Have been using lastpass for a while now and it works nicely, though I'm switching to something else since it was bought by logmein.

adxn

But i don't believe it is a result of a old PHP version flaw, A while back i noticed something on the 00webhost website that they were leaking out quite a bit of information through inode versions in Etag headers, which are sufficiently the only thing needed to map the entire disk at the backend.
A simple script that would iterate requests and ignore the already harvested inodes is mostly needed to map the entire disk and compromise the database,

mpkossen

@CFarence said:
Have been using lastpass for a while now and it works nicely, though I'm switching to something else since it was bought by logmein.

Exactly. I'd stay away from them if I were you.

Ole_Juul

http://arstechnica.com/security/2015/06/hack-of-cloud-based-lastpass-exposes-encrypted-master-passwords/

CFarence

@mpkossen said:
Exactly. I'd stay away from them if I were you.

I just installed 1Password and trying that out, so far I like it. Probably going to use something like Syncthing to sync between my devices. They really like dropbox for syncing, but I'm trying to move away from dropbox to syncthing.

linuxthefish

haha wtf, is this a bad joke?

Derek

linuxthefish said: haha wtf, is this a bad joke?

>

lmfao guess so

n0my

Ole_Juul said: http://arstechnica.com/security/2015/06/hack-of-cloud-based-lastpass-exposes-encrypted-master-passwords/

I think Encryptr is better when it comes to this. All of the stored data is encrypted. If you lost your password, you lost your data for good.

If data is breached, the encrypted stuff would be useless. It doesnt have emails attached to account so this will make things harder for anyone to link those encrypted data to someone.