Web hosting firm Hostinger has reset the passwords of all of its customers after it discovered hackers had breached its systems and accessed a database containing millions of records.
In a blog post, Hostinger’s Chief Marketing Officer Daugirdas Jankus explained that “an unauthorized third party has gained access to our internal system API, one of which had access to hashed passwords and other non-financial data about our customers.”
The breach, which is said to have occurred on August 23rd, has put the records of up to 14 million Hostinger users at risk.
Data exposed in the security breach includes clients’ usernames, email addresses, hashed passwords, first names, and IP addresses.
Hostinger has reassured customers that their financial details have not been accessed as payments are handled by third-party providers (as such data isn’t stored on the company’s systems). Furthermore, the firm says that after a “thorough internal investigation” it determined that Hostinger client’s “accounts and data stored on those accounts (websites, domains, hosted emails, etc.) remained untouched and unaffected.”
The company says that whoever hacked its systems managed to gain access to an internal server and used am internal API token to query its customer database.
So, Hostinger customers are not being treated to a mandatory password reset. Of course, it’s not just important to change your Hostinger password – but to also make sure that it is unique (in other words, not one that you’re using anywhere else) and that it cannot be easily guessed or cracked.
Affected customers should also be wary of unsolicited communications claiming to come from Hostinger, which might be attempts to phish for login credentials.
It’s worth pointing out that Hostinger does not currently offer its customer two-factor authentication as an additional layer of security. However, it says it is “planning to provide 2FA in the near future.” My guess is that that particular feature just jumped a little up the priority list.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.