The hacker accessed a database of the web hosting company Hostinger and breached information of 14 million customers in 78 countries
One of the biggest web-hosting providers, Hostinger, has disclosed the security incident that affected the platform users. In blog posts and reports, the company stated passwords were reset to 14 million of its users as a “precautionary measure” to protect the clients from further data theft.
Security incident occurred on August 23, when unauthorized third-party has gained access to the internal system API – the activity was picked up by informational alerts from the compromised server. The unknown attacker managed to breach hashed passwords and other non-financial (but personal) details about customers 
According to statements issued by the Hostinger representatives, the company immediately took actions: reported the incident to the authorities and initiated the comprehensive investigation with the help of a third-party forensic team. The vulnerable system as also contained and can no longer be accessed:
Payments for Hostinger services are made through authorized and certified third-party payment providers. It means that we never store any payment card or other sensitive Client financial data on our servers and it has not been accessed or compromised.
A compromised authorization token was used to gain access to the RESTful API
The security incident came to light when customers started receiving email notifications, which explained that Hostinger was a victim of a data breach. In the message, users were also informed about further attack details and that the internal and external forensic teams are investigating the case. Additionally, Hostinger team is also working on implementing new safety procedures to ensure the security of the platform.
The Lithuanian-based hosting company has almost 30 million clients worldwide, and the breached server affected 14 million of the userbase, spread across 78 countries. The API database included:
- client usernames;
- fist names;
- home addresses;
- IP addresses.
According to Hostinger, the API server contained an authorization token that was used to obtain access and privilege escalation to a RESTful API. This token was used for queries about customers and their accounts, including phone numbers, home addresses, and business addresses. Unfortunately, this feature was the reason why hacker accessed one of the servers and was able to obtain further access to customer data.
The unique algorithm used for scrambling the passwords
Unfortunately, client passwords and other personal data can still be at risk. Although hashing passwords can be helpful for preventing attackers from accessing the server containing sensitive information, Hostinger used SHA-1 algorithm for the process. Immediately after the attack, the company reset the passwords using the SHA-256 algorithm.
SHA-1 cipher is used for a more extended period than SHA-2, and there are multiple databases with billions of hashes and original inputs available. These databases can be used to find out passwords, so attackers can obtain them and use in credential stuffing attacks.
The company also notes that phishing attacks are possible in the future, so malicious actors can obtain login details and other valuable information. Due to this breach, all the compromised passwords that are reused for other accounts by users are at significant risk, so those affected should immediately change the passwords everywhere else.
Due to this breach, Hostinger plans to add the two-factor authentication that can ensure the username and password are not the only data required to enter the particular account.