Web hosting provider Hostinger reset all customer passwords over the weekend, after learning that an attacker gained unauthorized access to one of its internal systems.
With over 29 million users in 178 countries, Hostinger, which was established in 2004, is also an Internet domain name registrar. The breach, the company says, may have impacted information of nearly half of its users.
On August 23, the company received alerts on unauthorized access to an internal server containing an authorization token that the attackers used to escalate privileges to the system RESTful API Server used to query details about clients and their accounts.
The compromised API and all related systems have been already secured and the unauthorized access to them has been quickly removed, the company says.
“The API database, which includes our Client usernames, emails, hashed passwords, first names and IP addresses have been accessed by an unauthorized third party. The respective database table that holds client data, has information about 14 million Hostinger users,” the hosting provider said.
Although the Client passwords are hashed, the company decided to reset all passwords, as a precautionary security practice. Hostinger says it has notified all of its users of the password reset via email, and that it has also contacted authorities on the matter.
No payment card or other sensitive financial information was compromised a ofs a result the incident, as payments for Hostinger services are made through third-party providers.
The web hosting provider says that its internal investigation has revealed that no Hostinger client accounts or data stored on those accounts (websites, domains, hosted emails, etc.) have been compromised during the incident.
“We remind our Clients not to use the same passwords on multiple service providers across the web and to generate strong unique passwords with password management tools,” the company notes.
Furthermore, Hostinger advises users to be cautious of any unsolicited communications requesting their login details or personal information. They should avoid clicking on links or downloading attachments from suspicious email messages.