Every now and then, I get someone contacting me like this:
Hey, approximately 5 months ago, a certain hacker hacked into 000webhost and dumped a 13 million database consisted of name, last name, email and plaintext password
Now this puts me in an awkward position. On the one hand, the data would obviously be a good addition to HIBP and the people impacted would really want to know about it. On the other hand, by no means do I want HIBP to be thought of as a disclosure channel. In fact, what I normally say to anyone sending me this info is that unless its been publicly documented somewhere, I dont want a bar of it.
However, a number of things made this incident a bit unique. Firstly, the guy (and thats usually a safe assumption when it comes to this sort of thing) had already given me the data and it only took one glance to see that yes, it was indeed plain text passwords. He was also correct in saying it was 13M records, in fact it was a little bit more than that. It was very apparent that if this was legitimate, it was indeed a very serious data breach and one that had the potential to impact a very large number of people. So I did a bit of research.
Oh boy 000webhost messed up royally on handling that one. I suggest to everyone who's using 000webhost to change all your passwords right now, and also change the passwords on your other accounts if you use the same. Also, seeing how 000webhost is currently handling that situation, I would be tempted to tell you to stop using their service and move to a more secure and reliable provider.