Hostinger resets passwords after data breach affects 14m users

26 Aug 2019

Image: © Evgen3d/Stock.adobe.com

Just under half of Hostinger’s 29 million customers were affected by a data breach.

On Sunday (25 August), web hosting provider Hostinger announced that it has reset all client passwords as a precautionary measure following a recent data breach.

In a blogpost, the company said: “We are taking this extremely seriously and want to let everyone know what has happened and the immediate steps we have taken to protect our clients’ security.”

The company explained that a third party managed to gain access to Hostinger’s internal system API, where hashed passwords and non-financial data relating to the company’s customers was accessible.

In a breakdown of the events, the company said it received informational alerts on Friday, notifying it that an unauthorised third party had accessed its servers.

“This server contained an authorisation token, which was used to obtain further access and escalate privileges to our system RESTful API server. This API server is used to query the details about our clients and their accounts,” Hostinger said.

“The API database, which includes our client usernames, emails, hashed passwords, first names and IP addresses have been accessed by an unauthorised third party. The respective database table that holds client data, has information about 14 million Hostinger users.”

Hostinger has more than 29 million users, meaning the breach has affected just under half of its total client base.

Response

Shortly after learning of the vulnerability, Hostinger said it restricted access to the system and got in contact with the appropriate authorities.

As a precautionary measure, the company sent emails to all of its customers, with information regarding the password reset.

The company wrote: “We use a cryptographic hash function to encrypt all our client passwords. It is a one-way mathematical function that converts your password to a seemingly random sequence of characters.”

In its blog post, the hosting platform assured customers that their financial data has not been breached, as transactions are made through authorised and certified third-party payment providers. It said it does not store payment card data or financial data belonging to customers on its servers.

As well as prompting users to change their passwords after the reset, the company also said: “Clients should be cautious of any unsolicited communications that may ask for your login details, personal information or refer you to a website asking for the above-mentioned information.

“We also strongly suggest to avoid clicking on the links or downloading attachments from suspicious emails.”

Kelly Earley was a journalist with Silicon Republic

editorial@siliconrepublic.com