The web hosting provider Hostinger was affected by a huge data breach and the company had to reset the passwords for all of its customers as a precautionary measure.
Hostinger revealed on their blog post that “an unauthorized third party” breached one of its servers and attained access to “hashed passwords and other non-financial data” associated with its millions of customers.
The data breach occurred on August 23 when unknown hackers found an authorization token on one of their servers which was used to attain access to an internal system API, without the need of any username or password.
Hostinger on being alerted of the breach, immediately restricted the vulnerable system, denying the access to it and contacted the respective authorities.
The server has an authorization token, which was used to obtain further access and escalate privileges to their system RESTful API Server. This API Server is used to query the details about the clients and their accounts. The API database hosts personal information of around 14 million Hostinger customers that includes their usernames, emails, hashed passwords, first names, and IP addresses, which have been accessed by hackers.
Hostinger has more than 29 million users and so the breach had affected over half of its whole user base.
It is important to note that the company used the weak SHA-1 hashing algorithm to encrypt their user’s passwords, making it easier for hackers to crack the passwords.
The company has reset all Hostinger Client login passwords by using the stronger SHA-2 algorithm and they have sent out password recovery emails to all the affected customers.
Now the company does not offer the additional security layer of two-factor authentication (2FA) for its customers’ accounts.
Hostinger had assured all its customers that their financial data has not been accessed because the company does not store any payment card or other sensitive financial data on its servers.
The company has conducted a thorough investigation and found that the Hostinger Client accounts and data stored on those accounts, including websites, domains, and hosted emails were not affected.
Further investigation is still ongoing, and a team of internal and external forensics experts and data scientists were organized to discover the origin of the data breach and increase security measures of all the company’s operations.
After resetting the passwords, the company also requests its customers to set a strong and unique password for their Hostinger accounts and to be cautious of any suspicious emails that asks them to click on any links or download attachments.