This is to inform that InfinityFree databases can be opened using the login URL. When a user clicks on phpMyAdmin in CPanel, he is redirected to a certain URL. The password is sent as GET data and not POST. So, the third-parties in between such as ISP, etc can access the URL and thus login into phpMyAdmin.
For example, this is my db URL:
185.27.134.10/login.php?2=epiz_24246057xxxxx&db=epiz_24246057_survey
If we replace xxxxx in this URL with code, we get logged in. This URL is visible to ISP and in logs. Therefore, anyone with the URL can log in into db and easily attack it.
The way it works, is to use your ISP, you must have trust in them. Lots of data is passed and your ISP can see all. The whole function of an ISP, is built around your trust, for them providing you with internet, and not just seeing whatever your doing. If your so unnerved about it, use a proxy or VPN as suggested above.
But, if I am in a Company network or Public network, the company can log all requests and they can also access database.
Then, even if the website is HTTPS enabled and SSL/TLS supported, HTTP GET is not the safest way to send sensitive information. Login forms,etc must be sent using HTTP POST method only. You can search about this in Internet for more info.
Yes, phpMyAdmin should have SSL but doesn’t. Unfortunately, not much we (InfinityFree) can do about it. iFastNet knows about it and chooses not to act on it. Please let them know yourself if you have complaints about that.