Hostinger Breach Prompts Reset of All User Passwords
A data breach at web hosting company Hostinger has prompted the company to reset the passwords of all its customers.
Hostinger, which operates from Kaunas, Lithuania, reset the passwords of 29 million customers in 178 countries as a precautionary security measure after the breach was detected on August 22, 2019.
An intruder gained access to the company's internal system API, triggering an alert to be sent to Hostinger. The server broken into contained an authorization token, which was used to obtain further access and escalate privileges to Hostinger's RESTful API server, which was used to query information relating to clients and their accounts.
No financial information was accessed during the attack, but a database that contained hashed passwords, email addresses and client usernames was compromised. Up to 14 million accounts may have been affected.
Hostinger encrypts client passwords by using a one-way mathematical function that changes whatever password a client has picked into a random sequence of characters.
Customers of the web hosting company have been advised to pick strong passwords that are not in use anywhere else and to be wary of any unsolicited communications asking for personal information.
To increase the security of client data, Hostinger has ditched the hashing algorithm SHA-1 in favor of using SHA-2, which is tougher for hackers to crack.
The incident has been reported under Europe's General Data Protection Regulation.
In a statement released on its blog, Hostinger said: "Following the incident, we have identified the origin of unauthorized access and have taken necessary measures to protect data about our Clients, including mandatory password reset for our Clients and systems within all of our infrastructure.
"Furthermore, we have assembled a team of internal and external forensics experts and data scientists to investigate the origin of the incident and increase security measures of all Hostinger operations. As required by law, we are already in contact with the authorities."
Hostinger assured clients that their financial data was safe. Since payments for Hostinger services are made through authorized and certified third-party payment providers, the company does not store card details or any other sensitive financial information on its servers.
Source: Information Security Magazine