000webhosting offers free web hosting but there is a cost

Wed, 28th October 2015, 22:53

Free web hosting is a awesome concept but unfortunately there are few things in life that are free. That's not to say you can’t get web hosting without expending a monthly pittance. You can. It’s just not free. The cost for keeping cash in hand can take on various models. Whether through adware, data mining, up-selling to a paid format. Sometimes all three. But it isn’t free.

Troy Hunt run the website service 'Have I been pwned?' (HIBP), which allows people to discover where their personal data has been compromised on the web. When a breach hits the public airwaves, he load in the email addresses and those who subscribe to the service (editor's note: it’s really it is free!) get notified of their exposure or you can just search for yourself on the site.

Hunt writes on his blog that someone contacted him saying that approximately 5 months ago, a certain hacker hacked into 000webhost and dumped a 13 million user database consisting of name, last name, email and plain text password. Once Hunt determined that the data was in all likelihood real and from 000webhosts, he attempted to notify the company regarding their leaked data, thinking they’d want to advise their customers and obviously fix the underlying risk. Well this is where, according to Hunt, it all started to get very hard…

I'll spare repeating the steps as Hunt details them quite adequately, but it’s safe to say that 000webhosts gets very little hate mail. Actually they probably get no hate mail as it is near impossible to contact them. Reviews written by users of 000webhost on HostJury allude to the possibility that the host is merely a marketing tool to entice users to sign up for a paid hosting service offered by

And this is where Troy Hunt started sleuthing next.. and where he encountered further obstacles

“off to as well so let’s give them a go. I head over there and it’s a similar deal – no obvious contact info. Well that’s not entirely true, they have an image of a telephone with “24” next to it… then a fax number (they accept faxes 24 hours a day, perhaps?) plus an address in Cyprus”

Using the contact form, a helpful person named  Elvin S suggests Hunt contact 000webhost.

A day and a half later, a now obviously frustrated Hunt gave up on 000webhost and was again back at Hunt uses the contact feature to clearly explain the dilemma, even suggesting that the information be forwarded to their CEO (because that’s what their website suggest you should do). Hunt's efforts prove futile.

+2 days, 4 hours and 49 minutes after first attempting to contact them: I decide it’s not worth trying to get direct and personal contact and it’s more important that they’re convinced there’s a problem. I give them enough information to verify the breach but nothing that’s too sensitive to expose to a generic help desk worker

And that was the very last contact I had with them. To date, there have been zero response from them after that last message and this is a communication channel that had previously been pretty chatty. Clearly, this is just not something they want to know about.

Troy Hunt took to twitter to publicize the difficult situation he found himself in. And the quagmire got deeper. Hunt did get further confirmation the data originated from 000webhost and there were at least some rumors circulating of the breech, and that the information was stored in plain text. Most disturbing was a comment from one respondent…

The database is selling for upwards of $2,000 right now, I can't understand which moron would be considering giving you a copy for free when people can make some serious money from this database.

After four days of dealing with the web hosts, an exasperated Hunt contacts a friend. Thomas Fox-Brewster, a reporter with Forbes has reported on these sorts of incidents in the past in what Hunt describes as a fair and balanced manner. Fox-Brewster soon discovers the parent company of 000webhost and is UK based Hostinger. Fox-Brewster tries to get in touch with them but “they fob him off, not wanting to talk with him about the potential breach”….

But they were getting someone’s attention. All 000webhosting passwords were reset by the company this week and FTP has been disabled until November 10.

So far there is still zero communication about the actual breach itself. Not from 000webhost, or, or Hostinger. The data is still available in the shadier locales of the web... although it is not freely available. It will cost you around $2,000. As I said earlier. Nothing in life is really free!

Read Troy Hunt detailed version of events here.

Forbes Reporter Thomas Fox-Brewster version can be found here