000webhost hacked - 13 million passwords leaked

shorena

copper member

Activity: 1498

Merit: 1528

No I dont escrow anymore.

Quote from: Lauda on November 18, 2015, 04:42:48 AM

Quote from: shorena on November 18, 2015, 04:05:29 AM

Yes, but I can hardly grep for "Lauda's password". There are 232 lines with 'lauda' in it. There are also 5 people that use shorena as part of their password and 33 that contain 'shorena' in any context (mail, username or password), none of them are me. Thats what I meant with "badly formatted", but I also never expected you to share the password.

So that is what you meant. I understand now and you're right. Unless you exactly know my email address or something else that is specific, then you can't really tell which one might be me. For anyone that is affected they should just check that they aren't using the same password for anywhere else and there is no problem.

Yes, this should be done in general and the password should not be easy to guess like e.g. 000webhost or winter123 which is why Password managers are so great.

Lauda

legendary

Activity: 2674

Merit: 2965

Terminated.

Quote from: shorena on November 18, 2015, 04:05:29 AM

Yes, but I can hardly grep for "Lauda's password". There are 232 lines with 'lauda' in it. There are also 5 people that use shorena as part of their password and 33 that contain 'shorena' in any context (mail, username or password), none of them are me. Thats what I meant with "badly formatted", but I also never expected you to share the password.

Ah, that is what you meant. I understand now and you're right. Unless you exactly know my email address or something else that is specific, then you can't really tell which one might be me. For anyone that is affected they should just check that they aren't using the same password for anywhere else and there is no problem.

Patatas

legendary

Activity: 1750

Merit: 1115

Providing AI/ChatGpt Services - PM!

That's some sad news.I had an account with webhost for personal stuff trying out my own website design and server side scripts.I did have some sensitive data but doesn't seem to be affected.I had saved my passwords of all crypto related stuff including my gambling website passwords.Nothing of mine seems to be leaked.All ready cleared my data though

Thanks!

shorena

copper member

Activity: 1498

Merit: 1528

No I dont escrow anymore.

Quote from: Lauda on November 17, 2015, 06:47:01 PM

Quote from: shorena on November 17, 2015, 04:42:06 PM

Its hard to find that one password among 15 million, so in a sense I already "know" I just cant access the knowledge because its badly formatted. Even though I started formatting and sorting the passwords (I dont care much about the other data) its still difficult to handle due to the size.

Badly formatted? What did you use to open the dump with? I thought it was Full name, email, password and it looked fine to me the last time I opened it.

Yes, but I can hardly grep for "Lauda's password". There are 232 lines with 'lauda' in it. There are also 5 people that use shorena as part of their password and 33 that contain 'shorena' in any context (mail, username or password), none of them are me. Thats what I meant with "badly formatted", but I also never expected you to share the password.

Parazyd

hero member

Activity: 812

Merit: 587

Space Lord

Quote from: Decoded on November 17, 2015, 08:42:47 PM

Damn, to think the day before, I deleted my account xD

I never liked their service anyway. The only good thing that they provided was a working ftp connection to net2ftp. That's it. After let's say, 20 views, your website will shut down for having taken up too much bandwidth. I use hourb, which is the best, but the only problem is that their ftp servers don't work unless you use their file manager.

Non-related to 000webhost. But, one really awesome host that can be yours (free for one year) is the Amazon EC2. You get root access, and you can do anything you wish with it.
It's really easy to manage, and really easy to use.

Decoded

legendary

Activity: 1232

Merit: 1030

give me your cryptos

Damn, to think the day before, I deleted my account xD

I never liked their service anyway. The only good thing that they provided was a working ftp connection to net2ftp. That's it. After let's say, 20 views, your website will shut down for having taken up too much bandwidth. I use hourb, which is the best, but the only problem is that their ftp servers don't work unless you use their file manager.

John (John K.)

legendary

Activity: 1288

Merit: 1227

Away on an extended break

Yep, I found my old account there. It's good that I used a password manager and had unique passwords though Cheesy

ryandanielt

sr. member

Activity: 267

Merit: 250

i guess thats why it was always the smartest thing to not use the same password for every site. I got i think 32 different passwords in my head I use lol

Lauda

legendary

Activity: 2674

Merit: 2965

Terminated.

Quote from: shorena on November 17, 2015, 04:42:06 PM

Its hard to find that one password among 15 million, so in a sense I already "know" I just cant access the knowledge because its badly formatted. Even though I started formatting and sorting the passwords (I dont care much about the other data) its still difficult to handle due to the size.

Badly formatted? What did you use to open the dump with? I thought it was Full name, email, password and it looked fine to me the last time I opened it.

shorena

copper member

Activity: 1498

Merit: 1528

No I dont escrow anymore.

Quote from: Parazyd on November 17, 2015, 02:32:53 PM

Quote from: shorena on November 17, 2015, 02:28:53 PM

Quote from: Lauda on November 17, 2015, 02:23:50 PM

Quote from: Parazyd on November 17, 2015, 12:32:14 PM

It's a legit dump nevertheless... I found my account inside Undecided

Yes, legit. I verified.

Just curious, what was your password?

Wouldn't you like to know? Cheesy

You can PM me, I'll give you the dump.

Already got it, thanks.

Its hard to find that one password among 15 million, so in a sense I already "know" I just cant access the knowledge because its badly formatted. Even though I started formatting and sorting the passwords (I dont care much about the other data) its still difficult to handle due to the size.

Parazyd

hero member

Activity: 812

Merit: 587

Space Lord

Quote from: shorena on November 17, 2015, 02:28:53 PM

Quote from: Lauda on November 17, 2015, 02:23:50 PM

Quote from: Parazyd on November 17, 2015, 12:32:14 PM

It's a legit dump nevertheless... I found my account inside Undecided

Yes, legit. I verified.

Just curious, what was your password?

Wouldn't you like to know? Cheesy

You can PM me, I'll give you the dump.

shorena

copper member

Activity: 1498

Merit: 1528

No I dont escrow anymore.

Quote from: Lauda on November 17, 2015, 02:23:50 PM

Quote from: Parazyd on November 17, 2015, 12:32:14 PM

It's a legit dump nevertheless... I found my account inside Undecided

Yes, legit. I verified.

Just curious, what was your password?

Quote from: Lauda on November 17, 2015, 02:23:50 PM

-snip-
They always say "more security" until someone leaks the next set of unencrypted data.

The way they handled the person reporting them the leak speaks volumes. They probably run other hosting companies as well, they did some cross promotions on facebook.

Quote from: Lauda on November 17, 2015, 02:23:50 PM

-snip-
Interesting "hard-to-crack" passwords indeed.
-snip-

do grep correcthorsebatterystaple

Some of the passwords are actually good though, they look random and have a decent length. Others however... Passw0rd, abc123, lots of keyboard walking.

Lauda

legendary

Activity: 2674

Merit: 2965

Terminated.

Quote from: Parazyd on November 17, 2015, 12:32:14 PM

It's a legit dump nevertheless... I found my account inside Undecided

Yes, legit. I verified.

Quote from: Parazyd on November 17, 2015, 11:29:25 AM

Did you find mine? A fucking 6char password... Damn I was an idiot back then. I think it was 2010. or something.

Not really. As said, I just looked through it I was not looking for anything particular and have already removed the file. Interesting "hard-to-crack" passwords indeed.

Quote from: Flash1997 on November 17, 2015, 12:44:35 PM

This had been happen some week ago but now they are back online, with more security.

They always say "more security" until someone leaks the next set of unencrypted data.

Lt.Bitcoin

member

Activity: 91

Merit: 10

On the mission to earn 100 BTC

Quote from: Flash1997 on November 17, 2015, 12:44:35 PM

This had been happen some week ago but now they are back online, with more security.

Hello Flash1997,

I opened their website and i think now no one will be going to create an account their. The site doesn't provide any proof that our passwords are secured with them. They should be checked and verified by some group of users whom we can trust at all.

Hope to see them back in business soon, I had an account pwned! Tongue

Lt.Bitcoin

Flash1997

full member

Activity: 183

Merit: 100

This had been happen some week ago but now they are back online, with more security.

Parazyd

hero member

Activity: 812

Merit: 587

Space Lord

Quote from: Spoetnik on November 17, 2015, 11:51:08 AM

Quote from: Parazyd on November 17, 2015, 10:54:29 AM

I have a copy of the dump. All the passwords are plaintext Grin

You see how dumb people actually are with their passwords...

What do I do with it now?

brag to your friends about having them LOL

edit:
Ahh i see the pwned site now.
Yeah i have been there before with another hacker story i seen at Neowin.net News site.
It's legit i think.
And no i was not on the list of pwned guys but i will see again now hahhaha
i thought it was just for that one incident long ago.. not multiple hacks etc.

edit:
Nope.
I checked all the accounts i use ..i was not on any list Cool

I didn't think i would be..

It's a legit dump nevertheless... I found my account inside Undecided

Spoetnik

legendary

Activity: 1540

Merit: 1011

FUD Philanthropist™

Quote from: Parazyd on November 17, 2015, 10:54:29 AM

I have a copy of the dump. All the passwords are plaintext Grin

You see how dumb people actually are with their passwords...

What do I do with it now?

brag to your friends about having them LOL

edit:
Ahh i see the pwned site now.
Yeah i have been there before with another hacker story i seen at Neowin.net News site.
It's legit i think.
And no i was not on the list of pwned guys but i will see again now hahhaha
i thought it was just for that one incident long ago.. not multiple hacks etc.

edit:
Nope.
I checked all the accounts i use ..i was not on any list Cool

I didn't think i would be..

Parazyd

hero member

Activity: 812

Merit: 587

Space Lord

Quote from: Lauda on November 17, 2015, 11:12:37 AM

Quote from: Parazyd on November 17, 2015, 10:54:29 AM

I have a copy of the dump. All the passwords are plaintext Grin

You see how dumb people actually are with their passwords...

What do I do with it now?

Well you can't generalize either. There are people that have created their accounts in the past for testing (or other reasons) and have not deleted them. However, you are also right. I have quickly looked through that list as well.

Did you find mine? A fucking 6char password... Damn I was an idiot back then. I think it was 2010. or something.

Lauda

legendary

Activity: 2674

Merit: 2965

Terminated.

Quote from: Parazyd on November 17, 2015, 10:54:29 AM

I have a copy of the dump. All the passwords are plaintext Grin

You see how dumb people actually are with their passwords...

What do I do with it now?

Well you can't generalize either. There are people that have created their accounts in the past for testing (or other reasons) and have not deleted them. However, you are also right. I have quickly looked through that list as well.

Parazyd

hero member

Activity: 812

Merit: 587

Space Lord

I have a copy of the dump. All the passwords are plaintext Grin

You see how dumb people actually are with their passwords...

What do I do with it now?

An0nym0us

sr. member

Activity: 303

Merit: 250

Fuck i had a account there....

Lt.Bitcoin

member

Activity: 91

Merit: 10

On the mission to earn 100 BTC

Quote from: Lauda on November 16, 2015, 05:10:29 PM

Quote from: WWC-DEV on November 16, 2015, 10:55:46 AM

Is it safe to visit this site?

That site is actually very good and I did not know that it existed. I just checked that I was "pwned". I didn't even know that I had accounts on some of these places! Time to start deleting. It's quite unfortunate that this happens on places that do not deserve to be hacked. This is why companies need to start hiring more (skilled) people to handle security, it should never be neglected.

Yup, I got that information while i was searching for free web hosting and security is the main thing of any organization or anything. From your home to your phones, I think 000webhost had this intention to do that's why they stored the data in plain text instead of an encrypted string.

Lt.Bitcoin

Lauda

legendary

Activity: 2674

Merit: 2965

Terminated.

Quote from: WWC-DEV on November 16, 2015, 10:55:46 AM

Is it safe to visit this site?

That site is actually very good and I did not know that it existed. I just checked that I was "pwned". I didn't even know that I had accounts on some of these places! Time to start deleting. It's quite unfortunate that this happens on places that do not deserve to be hacked. This is why companies need to start hiring more (skilled) people to handle security, it should never be neglected.

shorena

copper member

Activity: 1498

Merit: 1528

No I dont escrow anymore.

The full dump is here[1] for now at least[2]. Very interesting top100 passwords, esp. #11 (outch) and the seemingly random one that was used >9000 times[4].

[1] https://000webhost.thecthulhu.com/
[2] https://twitter.com/CthulhuSec/status/666167981949526016
[3] https://twitter.com/asdizzle_/status/661323805214814209
[4] https://twitter.com/asdizzle_/status/665933815420989440

WWC-DEV

full member

Activity: 125

Merit: 100

Quote from: Daniel91 on November 16, 2015, 01:48:19 PM

This is old news already, happened 2 weeks ago.
WE all had to change passwords and now can use this hosting and edit our sites again, without problem.

There are some people who lost their accounts too.

Daniel91

legendary

Activity: 3374

Merit: 1824

This is old news already, happened 2 weeks ago.
WE all had to change passwords and now can use this hosting and edit our sites again, without problem.

WWC-DEV

full member

Activity: 125

Merit: 100

Quote from: Faradey100 on November 16, 2015, 11:39:53 AM

They not publiced logins and passwords?

I don't think the passwords are public yet.

kolloh

legendary

Activity: 1736

Merit: 1023

Wow 13million user records and passwords stored in plain text. /facepalm

Faradey100

newbie

Activity: 42

Merit: 0

They not publiced logins and passwords?

Spoetnik

legendary

Activity: 1540

Merit: 1011

FUD Philanthropist™

I heard similar a week ago about cheating date site Ashley Madison

mexxer-2

hero member

Activity: 924

Merit: 1005

4 Mana 7/7

Quote from: WWC-DEV on November 16, 2015, 11:06:07 AM

Is that site owned by pcworld?

Nope, I meant its backed/supported/reported(in a good way) by PCworld and other sites like thebussinessinsider, digitaltrends etc. You can see it if you google it

WWC-DEV

full member

Activity: 125

Merit: 100

Quote from: mexxer-2 on November 16, 2015, 11:00:01 AM

Quote from: WWC-DEV on November 16, 2015, 10:55:46 AM

Quote from: Lt.Bitcoin on November 16, 2015, 10:48:44 AM

If you want to check if you are victim or not of this attack, visit here: https://haveibeenpwned.com/

Is it safe to visit this site?

Backing from pcworld and other trusted sites. Seems safe to visit.

Is that site owned by pcworld?

mexxer-2

hero member

Activity: 924

Merit: 1005

4 Mana 7/7

Quote from: WWC-DEV on November 16, 2015, 10:55:46 AM

Quote from: Lt.Bitcoin on November 16, 2015, 10:48:44 AM

If you want to check if you are victim or not of this attack, visit here: https://haveibeenpwned.com/

Is it safe to visit this site?

Backing from pcworld and other trusted sites. Seems safe to visit.

WWC-DEV

full member

Activity: 125

Merit: 100

Quote from: Lt.Bitcoin on November 16, 2015, 10:48:44 AM

If you want to check if you are victim or not of this attack, visit here: https://haveibeenpwned.com/

Is it safe to visit this site?

Lt.Bitcoin

member

Activity: 91

Merit: 10

On the mission to earn 100 BTC

Hello Guys!

I just saw this news here:
http://www.forbes.com/sites/thomasbrewster/2015/10/28/000webhost-database-leak/
http://www.troyhunt.com/2015/10/breaches-traders-plain-text-passwords.html

000webhost has been recently hacked and 13 million plain passwords has been leaked.
If you want to check if you are victim or not of this attack, visit here: https://haveibeenpwned.com/

Such a bad news for the users of 000webhost.com
Lt.Bitcoin

Topic: 000webhost hacked - 13 million passwords leaked (Read 2039 times)