Hostinger disclosed a recent data breach impacted 14 million customers. Read on to know more about it…
Recently, Hostinger disclosed a data breach impacted 14 million customers that allowed unauthorized access to a client database of its internal API server. Hostinger said in a blog post it received an alert that one of its servers was improperly accessed. Using an access token found on the server, which can give access to systems without needing a username or a password, the hacker gained further access to the company’s systems, including an API database.
Hostinger became aware of the incident on August 23, 2019, after it received alerts that one of its internal servers that contained an authorization token has been accessed by a third-party. Attackers used authorization token obtained from Hostinger’s internal server to gain further access and escalate privileges to Hostinger’s system RESTful API Server.
That database contained customer’s usernames, email addresses, IP addresses and passwords scrambled with the SHA-1 algorithm, which has been deprecated in favor of stronger algorithms after researchers found SHA-1 was vulnerable to spoofing. The company has since upgraded its password hashing to the stronger SHA-2 algorithm.
“On August 23rd, 2019 we have received informational alerts that one of our servers has been accessed by an unauthorized third party. This server contained an authorization token, which was used to obtain further access and escalate privileges to our system RESTful API Server*. This API Server* is used to query the details about our clients and their accounts.
*[Latest Edit on 2019-08-25 17:43 UTC]” reads the announcement published by the company.
Upon learning the incident, the hosting provider hired a team of internal and external forensics experts and data scientists to investigate the incident and determine the origin of the attack. Upon determining the origin of unauthorized access, Hostinger took the necessary measures to protect its client data. It has disabled access to the server by securing the API and all related systems. Hostinger has reset passwords for all its clients and systems within its infrastructure. It has also taken steps to improve the security measures of all Hostinger operations.
“We have reset all Hostinger Client passwords as a precautionary measure following a recent security incident.” reads the data breach notification published on the company website. “During this incident, an unauthorized third party has gained access to our internal system API, one of which had access to hashed passwords and other non-financial data about our customers.”
However, Hostinger reported that no payment card or financial information was compromised, as Hostinger does not store payment card data on servers. Hostinger client accounts were also not impacted by the incident. Hostinger said it was “in contact with the respective authorities.”
“We completed a thorough internal investigation. Hostinger Client accounts and data stored on those accounts (websites, domains, hosted emails, etc.) remained untouched and unaffected,” Hostinger said in a blog.