Hostinger resets passwords following security breach

Graham Cluley
Graham Cluley
@[email protected]

Hostinger resets passwords following security breach
Web hosting firm Hostinger has reset the passwords of all of its customers after it discovered hackers had breached its systems and accessed a database containing millions of records.

In a blog post, Hostinger’s Chief Marketing Officer Daugirdas Jankus explained that “an unauthorized third party has gained access to our internal system API, one of which had access to hashed passwords and other non-financial data about our customers.”

The breach, which is said to have occurred on August 23rd, has put the records of up to 14 million Hostinger users at risk.

Data exposed in the security breach includes clients’ usernames, email addresses, hashed passwords, first names, and IP addresses.

Sign up to our free newsletter.
Security news, advice, and tips.

Hostinger has reassured customers that their financial details have not been accessed as payments are handled by third-party providers (as such data isn’t stored on the company’s systems). Furthermore, the firm says that after a “thorough internal investigation” it determined that Hostinger client’s “accounts and data stored on those accounts (websites, domains, hosted emails, etc.) remained untouched and unaffected.”

The company says that whoever hacked its systems managed to gain access to an internal server and used am internal API token to query its customer database.

So, Hostinger customers are not being treated to a mandatory password reset. Of course, it’s not just important to change your Hostinger password – but to also make sure that it is unique (in other words, not one that you’re using anywhere else) and that it cannot be easily guessed or cracked.

Affected customers should also be wary of unsolicited communications claiming to come from Hostinger, which might be attempts to phish for login credentials.

It’s worth pointing out that Hostinger does not currently offer its customer two-factor authentication as an additional layer of security. However, it says it is “planning to provide 2FA in the near future.” My guess is that that particular feature just jumped a little up the priority list.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.