Hostinger: 14 Million Accounts at Risk After BreachWeb Hosting Company Says API Server Compromised
Web hosting company Hostinger has reset all customer passwords after one of its databases was breached, affecting 14 million accounts.
See Also: A Guide to Passwordless Anywhere
Hostinger, which is based in Kaunas, Lithuania, says it discovered the breach on Thursday. It has cut off access to the system, according to a blog post on Sunday. The company says it has 29 million customers in 178 countries.
The intruder gained access to hashed passwords and nonfinancial customer data, Hostinger says.
Daugirdas Jankus, Hostinger's chief marketing officer, tells Information Security Media Group that the company hasn’t seen evidence an attacker might have extracted data en masse, but nevertheless, it's considering the incident a worst-case scenario.
“We decided to reset customers’ passwords to eliminate even the slightest possibility of a breach of their account,” Jankus says.
The incident qualifies for reporting under Europe’s General Data Protection Regulation. Jankus says Hostinger has informed authorities.
Token Allowed Privilege Escalation
The intruder gained access to a server that contained an authorization token, Hostinger says. That token was then used to escalate privileges and access a RESTful API Server, which is used to query client accounts.
The database contained hashed passwords - those that have been run through a one-way mathematical algorithm. That is the safest way to store passwords, but the security is also dependent upon what hashing algorithm is used.
Hostinger used SHA-1 to hash plain-text passwords, Jankus says. That algorithm is no longer considered appropriate to use because SHA-1 hashes are vulnerable to password cracking attempts. These days, organizations tend to use bcrypt, because it's more resistant to cracking. Jankus says Hostinger is now using SHA-2 to hash passwords.
“We decided to reset customers’ passwords to eliminate even the slightest possibility of a breach of their account."
— Daugirdas Jankus, Hostinger
The database contained client usernames, first names and IP addresses, Hostinger says. The company says that websites, domains and hosted emails are “untouched and unaffected.”
Those who used so-called “social” logins, or authentication integrations with Google, Facebook and others, are unaffected, Hostinger says.
The company doesn’t offer two-factor verification, which would stop an attacker from using login details to compromise an account. But in answer to a question about the security incident, Jankus writes “we are planning to provide 2FA in the near future.”
“The safest option is to use social logins (Google, Facebook or Github),” he writes. “Anyone using social logins does not need to change or even set their members area password.”
Asked why Hostinger does not encrypt client data at rest, Jankus writes: “Some of the user data is not encrypted because it is shown in different places all over your member's are. If encrypted, it would be not possible to decrypt it and show it on your member's area. However, we have assembled a team of internal and external experts to investigate the origin of the incident and increase security measures of all Hostinger operations, so that similar issues would not happen in the future."