One the well-known web hosting provider Hostinger suffered from a massive data breach and to protect their customer’s data, the firm has reset password as a precautionary measure.
In the last week of august, Hostinger revealed that an authorized third party had gained access to their hashed passwords and non-financial data. More than half of their customer data was accessed by the attackers that are why they reset passwords for 14 million users.
The cybercriminal has used one of the company servers to gain access to the entire system, without requiring any username and password. Hostinger restricted the vulnerable system immediately, and contacted the respective authorities and made the access no longer available.
They received an information alert on 23 august 2019 that an unauthorized person has accessed one of their servers. The server contained an authorized token which the attacker has used to get access to the API server. The API server was used to query the details of the customers and their accounts.
The API database contained personal information of 14 million customers, including their usernames, emails, hashed passwords, first names, and IP addresses. And the hacker has gained access to almost one million customer information.
Breach Affects Over Half of Hostinger’s User Base
Hostinger has more than 29 million customers, and the recent data breach has affected half of its complete user base. The cybercriminal used the weak SHA-1 hashing algorithm to crack their customer passwords.
After the data breach, the firm has used SHA-2 a stronger algorithm to reset the password of their 14 million customers and sent out password recovery emails to their affected customers.
In the coming days, the firm will also enable two-factor authentication for their customer accounts as an additional layer of security.
Hostinger does not store any payment card record or sensitive financial data record on the API server. So no financial record has been accessed by the attacker. The client accounts and data stored on that account, websites, domain, hosted emails are not affected by the recent breach.
The firm is influencing their clients to set a new and strong password for their Hostinger accent and to be careful not to click on links sent by authorized person. They have requested their clients not to download any attachments, and communicate with anyone asking for login details and personal information.