Popular website hosting platform, Hostinger, has initiated a password reset on all accounts after the company has been notified that there was a third-party intrusion that put the data of more than 14 million users of the platform at risk.
Hostinger said in a blog post that they have already secured their servers and have completed an initial investigation regarding what happened. They said that they have initiated the password reset in as an additional measure to protect the data of their users.
“We have reset all Hostinger Client passwords as a precautionary measure following a recent security incident. We are taking this extremely seriously and want to let everyone know what has happened and the immediate steps we have taken to protect our clients’ security,” the company said.
In the blog post authored by Daugirdas Jankus from Hostinger, the company said that on August 23, an unauthorized third-party had gained access to the platform’s databases and internal system API. The intrusion has given the third-party access to the hashed password of Hostinger users and other non-financial data saved in the internal servers of the company.
“On August 23, 2019, we have received informational alerts that one of our servers has been accessed by an unauthorized third party. This server contained an authorization token, which was used to obtain further access and escalate privileges to our system RESTful API. This API is used to query the details about our clients and their accounts,” the blog post reads.
What kind of data was exposed?
The hosting platform said that data that was potentially exposed includes usernames, emails, hashed passwords, first names, and IP addresses as the accessed database contains information about 14 million Hostinger users.
As part of their security mechanism, the company said that user passwords were hashed and encrypted using a cryptographic hash function, making them unreadable to the human eye. ” It is a one-way mathematical function that converts your password to a seemingly random sequence of characters,” they explained. Nonetheless, the company still had to do a password reset in order to double their prevention mechanism and to make sure that the passwords will not be used in other means like credential stuffing.
Furthermore, the company assures its users that their financial information, including credit card numbers and safety codes, are not compromised. They said that they are using a reliable third-party payment processing partner in order to process the payment through the platform and that they are not saving the financial information inside their servers.
Hostinger said that after completing a thorough preliminary investigation, they have discovered that Hostinger “accounts and data stored on those accounts (websites, domains, hosted emails, etc.) remained untouched and unaffected” and that clients’ websites were not accessed by the intruder.
What happens next?
The company said that they have already identified the origin of unauthorized access and have taken necessary actions to protect the data of their clients, “including mandatory password reset for our Clients and systems within all of our infrastructure.”
In order to fully know what exactly happened in the security incident, the company has organized a response team that would investigate the events thoroughly and improve the security mechanisms and protocols followed in the company and its servers.
“We have assembled a team of internal and external forensics experts and data scientists to investigate the origin of the incident and increase security measures of all Hostinger operations,” the company said in the blog post.
The investigation on the incident is in its early stages, but Hostinger said that they would be updating their clients for anything that comes up during their investigation. They promised to send users updates through their blog and status page, as well as send each affected users an email detailing the developments of the investigation.
As mandated by the law, Hostinger has also contacted relevant authorities regarding the data breach.
Meanwhile, Hostinger urges their clients to use stronger passwords during the password resets as well as to be vigilant if there are suspicious activities that are happening in their accounts and to immediately report them to the company.
“Following the password reset, we urge our Clients to choose strong passwords that are not utilized on other websites. Clients should be cautious of any unsolicited communications that may ask for your login details, personal information, or refer you to a website asking for the above-mentioned information. We also strongly suggest to avoid clicking on the links or downloading attachments from suspicious emails,” the company warns its clients.