Popular web hosting provider Hostinger had to reset passwords of 14 million users to a “random sequence of characters” as a precautionary measure following a massive data breach. The company has sent password recovery emails to the affected consumers.
According to a blog post, Hostinger claims the massive breach took place on Thursday. The company received an alert that an unauthorized third party has gained access to one of their servers.
Hackers gained access to an authorization token on one of Hostinger’s servers. The token can be used to make API requests, without needing a password or a username. Through this, the hackers gained access to the company’s internal systems and a client database which holds information “about 14 million Hostinger users”.
Data potentially exposed:
– Hostinger usernames
– IP addresses
– home addreses
– phone numbers
– hashed passwords pic.twitter.com/5ZQevho9zT
— Catalin Cimpanu (@campuscodi) August 25, 2019
Hostinger writes that the API database includes client names, usernames, emails, hashed passwords, and IP addresses. After learning about the data breach, Hostinger immediately removed the access and “secured the API and all related systems.”
Furthermore, the blog post mentions that the company is investigating the matter with a team of forensic experts and data scientists. Authorities have also been contacted. Other than that, Hostinger cautions users to be away from unconsolidated suspicious emails and links that attempt to ask for any login credentials.
Hostinger also writes that clients don’t need to worry about their financial logs since they remain unaffected by the breach.
Balys Kriksciunas, CEO of Hostinger Group told ZDNet that they have not discovered any crafted calls to extract clients data; however, “we are taking the worst-case scenario.” He also says that it is difficult to tell the exact number of clients because of the nature of the breach. Which means the number can get bigger.