It's been said before but it bears repeating that if you're not paying for a service, you are the service. Furthermore, if you are the service, you get what you pay for, which in the realm of digital security, means that free-loaders are free-basing if they think that their data is in any way secure.
Which brings us to today's episode of "no one could've predicted", where 000webhost.com (archived), an online web service advertising "free" PHP and MySQL hosting with up to 1.5 gigabytes of storage and 100 gigabytes of traffic, has been revealed to be storing user credentials, including plaintext passwords, in the URL, as well as generally neglecting even rudimentary uses of cryptography to protect user information and content. This investigation came after the exceedingly mild-mannered, if persistent, "security researcher" Troy Hunt (archived), was tipped off to the data breach by an unnamed contact, a breach which itself contained full names, usernames, passwords, email addresses, and IP addresses. Interestingly, while Hunt has added the 13,545,468 email addresses to his own free service, the searchable database Have I Been Pwned? (archived), he has a personal policy of not publicly sharing the precise contents of data breaches with the general public.
However, it can still be determined that the magnitude of the gross and insipid incompetence of the 000webhost team1 raises the bar for obscurantist obstinacy, a bar that wasn't particularly low after the recent FetLife and Ashley Madison embarrassments.