Hostinger stated that it has changed the login credentials of 14 million of its customers who were affected in the recent security breach. The popular web hosting provider revealed that an unauthorized third-party accessed one of their client’s servers on August 23, 2019, and obtained customers’ sensitive information.
Hostinger stated that the exposed information included customers’ usernames, first names, hashed passwords, IP addresses, and emails. Along with the customers’ data, the attackers managed to gain access to Hostinger’s internal system API that contained hashed passwords and non-financial data of customers.
“On August 23rd, 2019 we received informational alerts that one of our servers has been accessed by an unauthorized third-party. This server contained an authorization token, which was used to obtain further access and escalate privileges to our system RESTful API Server. This API Server is used to query the details about our clients and their accounts,” Hostinger said in a blogpost.
Hostinger clarified that it has reset all its client passwords as a security measure and started an investigation on the issue.
“Following the incident, we have identified the origin of unauthorized access and have taken necessary measures to protect data about our clients, including mandatory password reset for our clients and systems within all of our infrastructure. Furthermore, we have assembled a team of internal and external forensics experts and data scientists to investigate the origin of the incident and increase security measures of all Hostinger operations. As required by law, we are already in contact with the authorities,” Hostinger stated.