Customers of 000Webhost recently found out a security breach caused 13.5 million plaintext passwords to be stolen. The passwords were taken, along with user names, email addresses and IP addresses. They were all taken from the MySQL and free Lithuanian PHP used by host 000Webhost.
The breach happened in March of 2015, but the announcement about how many passwords were taken was just announced. Before the company even became aware of the breach, the information has been sold. It came from an anonymous source.