Hostinger, which is one of the popular web hosting providers has been hit by a massive data breach that resulted in the company to make the decision for resetting all the passwords for the customers as a precautionary measure. In one of the blog posts, that have been published recently, Hostinger has revealed that an unauthorized third party has breached one of its servers and has gained access to the hashed passwords and the other non-financial data that is associated with its millions of customers. This incident has occurred on the 23rd of August, 2019 when the unknown hackers had found an authorization token on one of the servers of the company and have been used it to gain access to an internal system API, without the requirement of any username and password.
Hostinger has restricted the vulnerable system immediately after the discovery of the data breach and has declined all the access and has contacted with the respective authorities simultaneously. The API database hosts the personal information of about 14 million Hostinger customers that includes their usernames, hashed passwords, emails, first names, and IP addresses that have been accessed by the hackers.
Hostinger houses over 29 million users, as a result, the data breach affected more than half of its complete user base. Nevertheless, it should also be noted that the company has used the weak SHA-1 hashing algorithm in order to scramble the Hostinger client passwords, at the same time making it easier for the hackers to crack the passwords. Taking into consideration the precautionary point of view, the company has reset all the Hostinger Client login passwords implementing the rigid SHA-2 algorithm and sent out the emails to the password recovery to the affected consumers. Also, at present, the company does not offer two-factor authentication (2FA) for its customers’ accounts, although it says that it is planning to provide this additional layer of security in the near future.
Hostinger reassured its customers that no financial data is believed to have been accessed as the company never stores any of the payment card details or any other sensitive financial data on its servers. Adding to that they said it is the third-party payment providers that handle payments for its services.
Image Source: thehackernews.com
Furthermore, the company Hostinger has also assured that a thorough internal investigation found out that the Hostinger Client accounts and the data stored on those accounts, including websites, domains, and hosted emails, have remained untouched and unaffected. The investigation into the matter is still ongoing, and a team of internal and external forensic experts and data scientists has been assembled in order to discover the origin of the data breach and increase the security measures of all the company’s operations.
Following the password reset, the company is also urging its customers to set a strong and unique password for their Hostinger accounts that have not been used anytime before and to be cautious or alert of any suspicious emails asking them to click on the links or download the attachments that come along with the email, as well as any unsolicited communications asking for login details, or other personal information or anything related to the website or company.
Customers who want to delete their details from Hostinger servers under GDPR rules should contact firstname.lastname@example.org at the earliest.
Source: The Hacker News
Disclaimer: Darkweblink.com does not promote or endorse claims that have been made by any parties in this article. The information provided here is for the general purpose only and unintended to promote or support purchasing and/or selling of any products and services or serve as a recommendation in the involvement of doing so. Neither Darkweblink.com nor any member is responsible directly or indirectly for any loss or damage caused or alleged to be caused by or in relation with the reliance on or usage of any content, goods or services mentioned in this article.