Jake Charman

Resident Geek of Nitrous Junkie Racing


Mon 2 Nov 2015

This post starts a lot like the last, 000WebHost, passwords leaked etc. 

Aside from the passwords of users apparently being stored in plain text in a database which in my mind is completely inexcuseable, I’m really starting to see what a terrible service 000WebHost really were.
Let me explain my use case:
9/10 year old me has built a website and wants to learn how hosting works but can’t afford (and doesn’t have a credit card to pay for) premium hosting. A quick Google search for “free web hosting” and  pretty much the only viable option that comes up is 000WebHost. The service actually looks pretty good even now. 99.9% uptime, no ads (so they say), unlimited bandwidth. All things we are used to seeing with premium options. So I sign up, admittedly the site does look rather sketchy from the beginning with absolutely zero in the way of email verification and your chosen password in plain text in your inbox. Anyways, I’ve had sites hosted there for a year or two, the ads start to annoy me and I’m moving to more interesting things so I decide to close my account. Except you can’t. Even when emailing support requesting that all your data be removed from their database (which may actually be a legal thing but definitely don’t quote me on that) they do nothing. 
So when I decided to start playing with websites again last year, I logged back into my old account (with the full intention to move away again and find something better given time) and threw up a basic HTML page. Shortly after, I wanted to play with PHPBB forums. However the PHP version was too out of date for PHPBB to run and on searching the internet I read that their paid services offer newer PHP versions. So really, the data breach was caused by a marketing decision not to implement a newer version of PHP for free users. Which I find rediculous. 
I am currently looking for a new hosting provider to replace Hostinger as I simply don’t want the developers of 000WebHost having any control over my web pages after making so many stupid errors. I’m hoping I can delete my account but if not the password will be a randomly generated one before I leave so this cannot happen again.
While I highly doubt he’s reading, I’d like to thank Troy Hunt (@troyhunt on twitter, www.troyhunt.com) for first alerting me to the breach via his twitter account and for his awesome project www.haveibeenpwned.com which helped me confirm if I had been affected. Which I had. 
I will be very interested to see the dump if it ever becomes public to see exactly what is contained and if there are any measures at all taken to disguise the password field. Authough British ISPs might class that as suspicious and report me as a black hat hacker or something.