HostHatch Was Not Breached

Funnily enough, you are the first and only person that I know of, who has talked about it on a hosting forum, or any forum in general. Not even a single customer has once contacted us, or me, about this in the last 3 years. “Internet” is a vast place, and many websites claim many strange things.

But you seemed 100% confident in what you said, so much so that you attacked one of our customers for “not doing their research”. So I naturally I assumed you wouldn’t have done so without seeing the actual evidence. Because that would be my personal criteria for attacking someone, but to each their own.

You made snarky comments like this:

You didn’t ask others for opinion, nor did you contact me. You confidently and quite arrogantly said that this happened, without proof.

Obviously when someone questioned you for proof - all the snarkiness disappeared and you suddenly became mature, as you are acting now.

So I will return the favor of being mature and post the full story after I get my sleep. Hope you will learn a thing or two about being honest and less snarky afterwards. To be clear, there is no breach.


Can’t wait for the full story, and can’t wait to hear why it hasn’t been removed for the past few years.

Civil discussions are fine, this was starting to get out of hand. I appreciate that @Theseus tried to end the discussion, I can also appreciate @Abdullah wanting to defend HostHatch afterward. The conversation has been moved to it’s own thread (as the length warranted it) and you are free to continue discussing the subject at hand should you choose to do so, just keep things civil.

For the record, the primary reason that this thread hasn’t been closed is because, quite frankly, I’m interested to hear the other side of the story.


This went a bit out of hands still, especially on my part. If @Abdullah posts the full story behind it which proves that it didn’t happen and posted something false, I’d like to get things cleaned up which went too far - and of course I will make sure to apologise in public.


Shit happens, thank you for being mature about it. I’m looking forward to hearing the other side of the story.


Firstly, since people keep mentioning - I should clarify that this is likely a new listing from a few months ago, since I haven’t seen this before yesterday. The source db appears to be clearly the same.

The original listing was done on, nearly 3 years ago. Soon after this, we were contacted by someone telling us that they have access to a breached database, and that they want a certain amount of money in bitcoin for them to not share this with the world. There was no actual proof offered (hint hint), and all that was offered as a proof was a link to If we did not pay this money, the database would be leaked publicly.

There were holes in this story:

  1. If there was a breach, we would likely know about it.
  2. We did not have 20k accounts in Nov 2016. This number was far off.
  3. We used to use default whmcs behavior of emailing passwords a long long time ago (as did many other providers with very high reputation today), we were flamed for it, and this was changed. There were no 20k (or even 2k) plaintext passwords.
  4. Breaches like this, especially if there were plaintext passwords, do not remain hidden. They spread like wildfire. Remember Staminus?

If there was even a sliver of a chance of this being real, we would have informed the customers, and force reset all passwords - like any responsible company would do.

We knew this person was lying, he was blocked, and the case was over. His threat to “publicly leak the db” never became a reality.

In 3 years, not even a single customer has contacted us or me, asking about the listing on, or anywhere else. It was a non-issue. So I never bothered with it and went on living my life.

Now I assume it either began with this (Hi Hurley, or Theseus) or before this, but I was only made aware of it yesterday, that some troll appears to be making rounds on hostballs, making snarky comments with no evidence whatsoever about a db breach.

I have seen the “database” in question. It is a text file called “hosthatch.com_plain.txt” with email:password pairs, none of which belong to us. A lot of it is “123456” and “ab123d”. None of the emails are registered with us. So obviously someone was trolling with it, or it was simply created to blackmail us a few years ago.

Following is the email from after I let them know of this story yesterday:

Thanks for letting us know.

This must have slipped through our verification process as every database we add should be verified before we add it, so we apologize for having added it.

We have removed it from

Now I hope @Theseus is not the person who created this text file to blackmail us for money that never came. Considering no one else has ever cared in 3 years, he seems to be quite sure and motivated. So can I ask what the punishment is on this forum for attacking businesses with no proof? What is next, “He definitely murdered someone because I saw it on some hole in the internet”?


This might be a gamechanger here. The number of “stolen” passwords don’t add up anywhere, heavily affecting the legitimacy of’s collection.

Of course not, because the sites were far off from a regular search.

Ha, thanks.

Take a guess from above.

This is a really hard case. I was really here to attack everyone and everything back in the LET times, resulting in getting rid of several scammy hosts. Sometimes this was the only way to solve misteries. This time I made a mistake and I’ll make sure to correct it - I should’ve contacted you first.

I will clean up the mess I caused starting with this thread that got moved off from The Ball Pit and I’d like to have the LET post gone aswell (@doghouch please?). And of course my apology will stay here, I shouldn’t have trusted them in the first place. I’m really sorry about this, and I hope you won’t have bad feelings because of this.


Cheers, thanks for clearing this up. I’ve added HostHatch back to my original post.


Thanks for the detailed reply @Abdullah! Indeed, it seemed fishy that there was never any evidence, I’ve changed the thread title to reflect the truth.

I agree that @Theseus was far too quick to judge here, but he’s apologised and frankly his attacks were short posts under a single thread. Since he has apologised, no further action is necessary.

The conversation was originally started in The Ball Pit which means that it’s pretty unlikely that anyone would’ve stumbled upon it unless they were an active member. Furthermore, this conversation was always under the Off Topic category which prevents it from being indexed by search engines, but I’ve now moved this to General in your favour.

@Abdullah, sorry for the rocky entry but welcome to Host Balls! Despite this occurrence, this is usually a friendly and supportive community. Hopefully you’ll stick around!

@Theseus, this isn’t LET, please do your due diligence before flaming a provider in the future please.


Might want to change “HostBreach” to HostHatch in the staff edit of the first post :wink:


Whoops. I woke up 20 minutes ago, my bad :sweat_smile:


alrighty then! Welcome to hostbreachballs @Abdullah - apologies for the drama, and thanks for sharing that fascinating backstory.

And I’m guessing @Theseus might have some ironic opportunity to appreciate the value of a (slightly) higher standard of proof when accusations are made in either direction - but, really does seem like an easy mistake for a person to make, so I’m glad to see it get resolved without more hard feelings.

Thinking a bit about the bigger picture now though … maybe this messy little near-miss will at least serve as a good reminder for anyone reading this (and that means endusers as well as providers) to take a hard look at their own security posture, and to seriously consider the real possibility and potential consequences of a breach.


On that note, I have heard of these cases where people try to pass off a database as belonging to a host that has nothing to do with the actual host. There was some underground talk of a database for a large host that I previously worked at that, upon examination, had nothing to do with that host at all.

We may well be in a new time where people pass off parts of the antipublic combo list as various other things.


Sorry for jumping in. What’s a combolist? Never heard of it before.

It’s a big collection of passwords from various breaches. Almost certainly you are, or someone you know is, in that one. I’m in it, as is just about everyone I know.

1 Like

There are a few combo lists out there that you can easily torrent. Gives you about 18 GB worth of email / password combinations. I have like 8 entries in there. The most shitty thing is that spammers use that list too, so you’re basically a confirmed victim once you appear on such list.

Edit: it’s actually 44 GB at this point in time.


1 Like

The real money, and I’m surprised no one has so obviously done this yet:

Find people who use social media to declare their usage of a service provider, draw correlation between that and antipublic listings, then create a database of users of that service and their passwords. Given that people reuse passwords so often, it’s actually quite likely that one could build a customer database of usernames and passwords for a service provider from publicly available information.


No worries, people are doing that in some way, just not in the host industry I guess.

See Sextortion scam knows your password, but don’t fall for it – Naked Security

1 Like

Irony of the day is that I would rather store my passwords in plaintext other than using any of these password managers who claim to have something they don’t.

I hate to admit but I ruined my previously flawless work by trusting a company like this. Gonna bash myself because of this for a while.

Run Bitwarden_rs on a Raspberry Pi back at your place. Enable 2FA. Safer than saving plain text passwords.

1 Like