Web host Hostinger resets 14 million customer passwords following data breach
Hosting company Hostinger has reset passwords for all of its customers after a data breach in which a database containing information about 14 million users was accessed "by an unauthorized third party".
Hostinger says that the password reset is a "precautionary measure" and explains that the security incident occurred when hackers used an authorization token found on one of the company's servers to access an internal system API. While no financial data is thought to have been accessed, hackers were able to access "client usernames, emails, hashed passwords, first names and IP addresses".
- Over 3,800 data breaches reported in the first half of 2019
- Load balancer flaw could lead to major breaches at large organizations
- Personal details of 106 million Americans and Canadians stolen in huge Capital One data breach
The incident was discovered on Friday August 23 and Hostinger says that it "received informational alerts that one of our servers has been accessed by an unauthorized third party. This server contained an authorization token, which was used to obtain further access and escalate privileges to our system RESTful API Server. This API Server is used to query the details about our clients and their accounts".
The company goes on to say:
The API database, which includes our Client usernames, emails, hashed passwords, first names and IP addresses have been accessed by an unauthorized third party. The respective database table that holds client data, has information about 14 million Hostinger users.
Writing about the incident in a blog post, Hostinger says:
Following the incident, we have identified the origin of unauthorized access and have taken necessary measures to protect data about our Clients, including mandatory password reset for our Clients and systems within all of our infrastructure.
Furthermore, we have assembled a team of internal and external forensics experts and data scientists to investigate the origin of the incident and increase security measures of all Hostinger operations. As required by law, we are already in contact with the authorities.
The investigation is still in its early stages. All updates regarding this security incident will be posted in this blog, on our status page, and sent directly to our Clients via email and across other channels.
The incident is now being investigated, and Hostinger says that any customer wanting to have their details deleted under GDPR rules should contact [email protected].