A security researcher has discovered a trove of more than 13 million plaintext passwords that appear to belong to users of 000Webhost, a service that says it provides reliable and high-speed webhosting for free.
The leaked data, which also includes users’ names and e-mail addresses, was obtained by Troy Hunt, an Australian researcher and the operator of Have I Been Pwned?, a service that helps people figure out if their personal data has been exposed in website breaches. Hunt received the data from someone who contacted him and said it was the result of a hack five months ago on 000Webhost.
Hunt has so far confirmed with five of the people included in the list that it contains the names, passwords, and IP addresses they used to access 000Webhost. “By now there’s no remaining doubt that the breach is legitimate and that impacted users will have to know,” he wrote in a blog post published Wednesday. He said that he worked hard to notify company officials and get them to publicly warn users that their passwords have been exposed. So far, all that’s happened, he said, is that the service has notified users who log in that their passwords have been reset “by 000Webhost system for security reasons.”