Hostinger, a prominent web hosting provider, has recently experienced a significant data breach, prompting the company to reset passwords for its entire customer base as a precautionary measure. In a blog post published over the weekend, Hostinger disclosed that an unauthorized third party compromised one of its servers, gaining access to “hashed passwords and other non-financial data” linked to millions of its users.
The incident occurred on August 23, when attackers exploited an authorization token found on one of Hostinger’s servers. This token granted them entry to an internal system API, circumventing any need for traditional username and password authentication. Such tactics fall under methods of initial access as outlined in the MITRE ATT&CK framework, specifically targeting credential access and exploiting weaknesses in authorization protocols.
Prompt action followed the breach’s discovery, with Hostinger isolating the compromised system and notifying the appropriate authorities. The company confirmed that the accessed server contained an authorization token that enabled further access and privilege escalation to their RESTful API server, which houses vital data about clients and their accounts.
The compromised API database affects nearly 14 million Hostinger customers, exposing usernames, emails, hashed passwords, first names, and IP addresses. Given that Hostinger boasts over 29 million users, more than half of its user base has been impacted. It’s important to note that the company previously utilized the SHA-1 hashing algorithm to obscure passwords, a method deemed insufficiently secure against modern hacking techniques.
In response to the breach, Hostinger has reset all customer login passwords using the more secure SHA-2 algorithm and dispatched password recovery emails to those affected. However, it should be emphasized that the company currently lacks two-factor authentication (2FA) for user accounts, though it has plans to implement this added security feature in the near future.
Hostinger has reassured customers that no financial data was compromised, as it does not store payment card information or sensitive financial data on its servers. Transactions are managed by third-party payment providers, isolating sensitive financial information from potential exposure.
An internal investigation remains ongoing, and Hostinger has engaged a team of forensics experts and data scientists to ascertain the breach’s origins and enhance security measures across the company’s operations. Following the password reset, clients are urged to create strong, unique passwords and to remain vigilant against suspicious emails or unsolicited requests for personal information.
For customers wishing to remove their details from Hostinger’s servers in compliance with GDPR regulations, they may contact [email protected].
This recent breach serves as a crucial reminder of the evolving cybersecurity landscape and the necessity for vigilant security practices within organizations. Business owners would do well to assess their own systems and implement robust security measures, including regular password updates and the adoption of multi-factor authentication, to mitigate such risks in the future.
