Notes on breach notification handling – 000Webhost breach
Recently following the news on the 000Webhost breach Tod Beardsley, security engineering manager at Rapid7, has expressed his points of view on companies and their notification handling policies. He noted:
“The breach story involving the 13.5 million customers of 000Webhost, a popular free web hosting provider is a by-the-numbers “what not to do” cautionary tale about breach notification handling. While the company appears to have forced a password reset on all its users, there has reportedly been no notification by the parent company, Hostinger, to the affected customers about their disclosed user names and passwords.
We know that breaches happen, with some regularity, so I don’t blame 000Webhost for getting compromised, but it’s critical that organisations who suffer a compromise communicate effectively, quickly, and directly to their customer base with steps to protect themselves. Given 000Webhost’s position as a top free web hosting provider, there are undoubtedly thousands and thousands of small companies who rely on 000Webhost for their economic viability, and every one of them is now exposed to casual vandalism.
People and small companies who are looking for hosting need to start demanding reasonable standards when it comes to breach and vulnerability handling. Depressingly, every list of “best free web hosting services” I could find, including the Wikipedia comparison page, lacks any sort of security criteria that people can use to make informed choices. Feature sets and usability are important, to be sure, but regular security patching, public audit records, and a statement of intent of how breaches are handled are crucially important to protect users’ data, not to mention the downstream customers data.”