The attacker used an opening in an old, unpatched version of PHP to upload malicious files and gain access to the service’s systems. “Not only was the full database containing the usernames, passwords and email addresses compromised, but this information has been dumped online,” ZDNet reports.
The data dump contained plain-text passwords.
If these passwords are used on any other services, users should change them as soon as possible.
Security disclosure service XSSposed has detailed the vulnerability that may have been a doorway for the intruder. On Oct. 26, a researcher reported a cross-site scripting vulnerability on 000webhost.com — joining another six vulnerabilities reported by security teams — which was still unpatched, placing users at risk.