Hostinger Hack: Details of 14 Million Accounts Stolen

Web hosting firm Hostinger says almost half of its customer’s passwords and personal data has been leaked online after one of its servers was hacked.

Hostinger provides virtual, cloud and private server hosting, alongside domain registration to over 29 million users.

The company first discovered the intrusion into its network on August 23, when security was alerted that a server had been accessed by an unauthorised third party. The breached server held an authorization token which the hackers then used to escalate their privileges into Hostinger RESTful API Server.

Lithuania-based Hostinger said: “The API database, which includes our client usernames, emails, hashed passwords, first names and IP addresses have been accessed by an unauthorized third party. The respective database table that holds client data, has information about 14 million Hostinger users.”

Hostinger Hack Under Investigation

Hostinger said it has triggered a password reset for its users as a precautionary measure, as the data accessed on the server contained only hash encrypted passwords secured using the SHA-1 algorithm, which is not among the most robust.

While its investigation is still in a nascent stage the firm says they have assembled a team of internal and external forensics experts and data scientists who have pinpointed the origin of the attack. They also note that they have contacted law enforcement and have restricted the vulnerable system so it can be purged of any unauthorized access.

The company has also updated encryption to SHA-256 it told Threatpost.

Hostinger is reassuring its customers that none of their financial details were accessed during the breach as: “Payments for Hostinger services are made through authorized and certified third-party payment providers. It means that we never store any payment card or other sensitive Client financial data on our servers and it has not been accessed or compromised.”

As usual with these frequent server breaches the firm is warning its clients not to use the same password across multiple websites or logins.