Following the news of the 000Webhost breach, Tod Beardsley – security engineering manager, at Rapid7 have the following comments on it.
[su_note note_color=”#ffffcc” text_color=”#00000″]Tod Beardsley, Security Engineering Manager, at Rapid7 :
“The breach story involving the 13.5 million customers of 000Webhost, a popular free web hosting provider is a by-the-numbers “what not to do” cautionary tale about breach notification handling. While the company appears to have forced a password reset on all its users, there has reportedly been no notification by the parent company, Hostinger, to the affected customers about their disclosed user names and passwords.
We know that breaches happen, with some regularity, so I don’t blame 000Webhost for getting compromised, but it’s critical that organisations who suffer a compromise communicate effectively, quickly, and directly to their customer base with steps to protect themselves. Given 000Webhost’s position as a top free web hosting provider, there are undoubtedly thousands and thousands of small companies who rely on 000Webhost for their economic viability, and every one of them is now exposed to casual vandalism.
People and small companies who are looking for hosting need to start demanding reasonable standards when it comes to breach and vulnerability handling. Depressingly, every list of “best free web hosting services” I could find, including the Wikipedia comparison page[1], lacks any sort of security criteria that people can use to make informed choices. Feature sets and usability are important, to be sure, but regular security patching, public audit records, and a statement of intent of how breaches are handled are crucially important to protect users’ data, not to mention the downstream customers data.”[/su_note][su_box title=”About Rapid7″ style=”noise” box_color=”#336588″]Rapid7 security data and analytics software and services help organizations reduce the risk of a breach, detect and investigate attacks, and build effective IT security programs. With comprehensive real-time data collection, advanced correlation, and insight into attacker techniques, Rapid7 strengthens an organization’s ability to defend against everything from opportunistic drive-by attacks to advanced threats. Unlike traditional vulnerability management and incident detection technologies, Rapid7 provides visibility, monitoring, and insight across assets and users from the endpoint to the cloud. Dedicated to solving the toughest security challenges, Rapid7 offers proprietary capabilities to spot intruders leveraging today’s #1 attack vector: compromised credentials. Rapid7 is trusted by more than 3,700 organizations across 90 countries, including 30% of the Fortune 1000.[/su_box]
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.