Bitcoin Forum

Hello Guys!

I just saw this  news here:
http://www.forbes.com/sites/thomasbrewster/2015/10/28/000webhost-database-leak/
http://www.troyhunt.com/2015/10/breaches-traders-plain-text-passwords.html

000webhost has been recently hacked and 13 million plain passwords has been leaked.
If you want to check if you are victim or not of this attack, visit here: https://haveibeenpwned.com/

Such a bad news for the users of 000webhost.com
Lt.Bitcoin

Is it safe to visit this site?

Backing from pcworld and other trusted sites. Seems safe to visit.

Is that site owned by pcworld?

Nope, I meant its backed/supported/reported(in a good way) by PCworld and other sites like thebussinessinsider, digitaltrends etc. You can see it if you google it

I heard similar a week ago about cheating date site Ashley Madison

They not publiced logins and passwords?

Wow 13million user records and passwords stored in plain text. /facepalm

I don't think the passwords are public yet.

This is old news already, happened 2 weeks ago.
WE all had to change passwords and now can use this hosting and edit our sites again, without problem.

There are some people who lost their accounts too.

The full dump is here[1] for now at least[2]. Very interesting top100 passwords, esp. #11 (outch) and the seemingly random one that was used >9000 times[4].

[1] https://000webhost.thecthulhu.com/
[2] https://twitter.com/CthulhuSec/status/666167981949526016
[3] https://twitter.com/asdizzle_/status/661323805214814209
[4] https://twitter.com/asdizzle_/status/665933815420989440

That site is actually very good and I did not know that it existed. I just checked that I was "pwned". I didn't even know that I had accounts on some of these places! Time to start deleting. It's quite unfortunate that this happens on places that do not deserve to be hacked. This is why companies need to start hiring more (skilled) people to handle security, it should never be neglected.

Yup, I got that information while i was searching for free web hosting and security is the main thing of any organization or anything. From your home to your phones, I think 000webhost had this intention to do that's why they stored the data in plain text instead of an encrypted string.

Lt.Bitcoin

Fuck i had a account there....

I have a copy of the dump. All the passwords are plaintext ;D
You see how dumb people actually are with their passwords...

What do I do with it now?

Well you can't generalize either. There are people that have created their accounts in the past for testing (or other reasons) and have not deleted them. However, you are also right. I have quickly looked through that list as well.

Did you find mine? A fucking 6char password... Damn I was an idiot back then. I think it was 2010. or something.

brag to your friends about having them LOL

edit:
Ahh i see the pwned site now.
Yeah i have been there before with another hacker story i seen at Neowin.net News site.
It's legit i think.
And no i was not on the list of pwned guys but i will see again now hahhaha
i thought it was just for that one incident long ago.. not multiple hacks etc.

edit:
Nope.
I checked all the accounts i use ..i was not on any list  8)
I didn't think i would be..

It's a legit dump nevertheless... I found my account inside  :-\

This had been happen some week ago but now they are back online, with more security.

Hello Flash1997,

I opened their website and i think now no one will be going to create an account their. The site doesn't provide any proof that our passwords are secured with them. They should be checked and verified by some group of users whom we can trust at all.

Hope to see them back in business soon, I had an account pwned! :P
Lt.Bitcoin

Yes, legit. I verified.

Not really. As said, I just looked through it I was not looking for anything particular and have already removed the file. Interesting "hard-to-crack" passwords indeed.

They always say "more security" until someone leaks the next set of unencrypted data.

Just curious, what was your password?


The way they handled the person reporting them the leak speaks volumes. They probably run other hosting companies as well, they did some cross promotions on facebook.


do grep correcthorsebatterystaple

Some of the passwords are actually good though, they look random and have a decent length. Others however... Passw0rd, abc123, lots of keyboard walking.

Wouldn't you like to know? :D

You can PM me, I'll give you the dump.

Already got it, thanks.

Its hard to find that one password among 15 million, so in a sense I already "know" I just cant access the knowledge because its badly formatted. Even though I started formatting and sorting the passwords (I dont care much about the other data) its still difficult to handle due to the size.

Badly formatted? What did you use to open the dump with? I thought it was Full name, email, password and it looked fine to me the last time I opened it.

i guess thats why it was always the smartest thing to not use the same password for every site. I got i think 32 different passwords in my head I use lol

Yep, I found my old account there. It's good that I used a password manager and had unique passwords though :D

Damn, to think the day before, I deleted my account xD

I never liked their service anyway. The only good thing that they provided was a working ftp connection to net2ftp. That's it. After let's say, 20 views, your website will shut down for having taken up too much bandwidth. I use hourb, which is the best, but the only problem is that their ftp servers don't work unless you use their file manager.

Non-related to 000webhost. But, one really awesome host that can be yours (free for one year) is the Amazon EC2. You get root access, and you can do anything you wish with it.
It's really easy to manage, and really easy to use.

Yes, but I can hardly grep for "Lauda's password". There are 232 lines with 'lauda' in it. There are also 5 people that use shorena as part of their password and 33 that contain 'shorena' in any context (mail, username or password), none of them are me. Thats what I meant with "badly formatted", but I also never expected you to share the password.

That's some sad news.I had an account with webhost for personal stuff trying out my own website design and server side scripts.I did have some sensitive data but doesn't seem to be affected.I had saved my passwords of all crypto related stuff including my gambling website passwords.Nothing of mine seems to be leaked.All ready cleared my data though :) Thanks!

Ah, that is what you meant. I understand now and you're right. Unless you exactly know my email address or something else that is specific, then you can't really tell which one might be me. For anyone that is affected they should just check that they aren't using the same password for anywhere else and there is no problem.

Yes, this should be done in general and the password should not be easy to guess like e.g. 000webhost or winter123 which is why Password managers are so great.