Now on Demand Ransomware Resilience & Recovery Summit - All Sessions Available
Connect with us

Hi, what are you looking for?


Incident Response

Hostinger Resets User Passwords Following System Breach

Web hosting provider Hostinger reset all customer passwords over the weekend, after learning that an attacker gained unauthorized access to one of its internal systems. 

Web hosting provider Hostinger reset all customer passwords over the weekend, after learning that an attacker gained unauthorized access to one of its internal systems. 

With over 29 million users in 178 countries, Hostinger, which was established in 2004, is also an Internet domain name registrar. The breach, the company says, may have impacted information of nearly half of its users. 

On August 23, the company received alerts on unauthorized access to an internal server containing an authorization token that the attackers used to escalate privileges to the system RESTful API Server used to query details about clients and their accounts.

The compromised API and all related systems have been already secured and the unauthorized access to them has been quickly removed, the company says. 

“The API database, which includes our Client usernames, emails, hashed passwords, first names and IP addresses have been accessed by an unauthorized third party. The respective database table that holds client data, has information about 14 million Hostinger users,” the hosting provider said

Although the Client passwords are hashed, the company decided to reset all passwords, as a precautionary security practice. Hostinger says it has notified all of its users of the password reset via email, and that it has also contacted authorities on the matter. 

No payment card or other sensitive financial information was compromised a ofs a result the incident, as payments for Hostinger services are made through third-party providers.

The web hosting provider says that its internal investigation has revealed that no Hostinger client accounts or data stored on those accounts (websites, domains, hosted emails, etc.) have been compromised during the incident. 

Advertisement. Scroll to continue reading.

“We remind our Clients not to use the same passwords on multiple service providers across the web and to generate strong unique passwords with password management tools,” the company notes. 

Furthermore, Hostinger advises users to be cautious of any unsolicited communications requesting their login details or personal information. They should avoid clicking on links or downloading attachments from suspicious email messages. 

Related: Many Users Don’t Change Unsafe Passwords After Being Warned: Google

Related: Slack Resetting More User Passwords in Response to 2015 Breach

Related: Google Warns G Suite Customers of Passwords Stored Unhashed Since 2005

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Bill Dunnion has joined telecommunications giant Mitel as Chief Information Security Officer.

MSSP Dataprise has appointed Nima Khamooshi as Vice President of Cybersecurity.

Backup and recovery firm Keepit has hired Kim Larsen as CISO.

More People On The Move

Expert Insights

Related Content


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...

Cloud Security

VMware described the bug as an out-of-bounds write issue in its implementation of the DCE/RPC protocol. CVSS severity score of 9.8/10.