000webhost, a free web hosting service, has suffered a data breach which put some 13 million of its users at risk. The company announced the breach on Wednesday through a Facebook post.
The company said a hacker used an exploit in old PHP version to upload "some files”, allowing him to gain access to the company’s systems.
“Although the whole database has been compromised, we are mostly concerned about the leaked client information,” the post reads.
The information acquired through the breach was posted online, 000webhost says, adding that the company removed all illegally uploaded pages as soon as they became aware of the breach.
“Next, we changed all the passwords and increased their encryption to avoid such mishaps in the future. A thorough investigation to make sure the breach does not exist anymore is in progress.”
According to Troy Hunt, Microsoft MVP for Developer Security, the record dump contained plain text passwords, meaning whoever stole them could have started using them straight away.
As a result, if these passwords are used on any other services, users should change them as soon as possible. 000webhost has also asked users to change their account passwords following a site-wide reset, but at the time of writing the website is down for repairs and there is nothing customers can do at present.
“We apologize for this hassle but it has to be done to ensure your data is safe. We are going to upgrade our systems step by step and will be aiming to be super-careful in future,” 000webhost concludes.