Web hosting provider Hostinger has forcibly reset all of its client passwords as a “precautionary measure” following an unauthorized access of its customer database, which contains some 14 million users.
“During this incident, an unauthorized third party has gained access to our internal system API, one of which had access to hashed passwords and other non-financial data about our customers,” the Lithuania-based company said.
Hostinger — founded in 2004 — has over 29 million users across 178 countries.
The security incident is said to have come to light on August 23, when it was alerted to a breach of one its servers. Using an authorization token found in the server — which grants access to systems without the need for any username and password — the attacker gained further deeper access through privilege escalation.
This allowed the threat actor to take control of an API server used to query client details and their account information, including Hostinger usernames, first names, email addresses, phone numbers, home addresses, IP addresses, and hashed passwords.
Neither financial data nor clients data stored on accounts — websites, domains, and hosted emails — was affected.
Hostinger notes it doesn’t store any card information as payments are handled through authorized and certified third-party providers. It, however, didn’t disclose the names of the parties involved.
Consequently, the company said it immediately removed the access, “secured the API and all related systems,” and alerted the authorities. Hostinger is also looking into the origin of the security breach.
In simple terms, authorization tokens are like access tokens. For example, a server could generate a token — signed with a digital signature to verify authenticity — that says “logged in as admin” and pass it over to a client. The client can then use this token to authenticate itself as a system admin.
It’s not immediately clear if an access token of this sort was abused by the threat actor to gain elevated access.
“We are continuing our internal review, implementing new security procedures and hardening server and network settings,” the latest update (August 25, 4:20 PM EST) on the incident report reads.
Speaking to ZDNet, the company’s CEO Balys Kriksciunas said, “The reason it is difficult to determine the exact number of Clients because of the type of the breach.”
Affected customers should have already received a password reset email, Hostinger said, while warning users to be cautious of clicking any suspicious messages asking for personal information.
The phishing threat aside, the company is urging customers to choose strong unique passwords as it works towards adding two-factor authentication in the “near future.”