Hostinger Announces Data Breach and Resets All Client Passwords
- Malicious actors have accessed a Hostinger API database containing the account details of 14 million clients.
- The data was encrypted with SHA-2, so it won’t be usable or valuable for sale, while financial data hasn’t been compromised.
- All clients will have to follow a password resetting link and set new passwords for their account to be re-activated.
Hostinger, the world-wide domain registrar and web hosting company with over 29 million customers has announced a security incident on their blog and circulated notifications to its customers. The hosting firm informed the public of unauthorized access to their internal API on August 23, 2019, and a subsequent privilege escalation that targeted the account details of its clients. Unfortunately, the API database was accessed by the unauthorized party, and 14 million Hostinger users have had their data compromised. Thus, all Hostinger user passwords have been reset, so clients will now have to take part in this process by clicking on the link that was sent to them in the relevant notification message.
image source: techcrunch.com
Hostinger has now restricted all access to the vulnerable database and has contacted the concerned authorities to inform them of the details. The positive note is that the data that was leaked will be hard to use by malicious actors. All usernames, email addresses, and account passwords are hashed with the SHA-2 algorithm, which is very difficult to crack. This shows that Hostiger was responsible enough and followed good practices on how they handled their customer data. As for the financial information, payments for Hostinger services are handled by a certified third-party payment provider, so none of this is stored on Hostinger’s servers, and so nothing of this type was compromised.
As the internal investigation is still ongoing, the affected customers should expect to receive more information that concerns them specifically via email. In addition to that, Hostiger has set up a dedicated “status” webpage where they post any updates on the particular security incident. Their help center is also available 24/7 to answer any questions that their clients may have regarding the leaking of their account data. If you wish to delete your personal data from Hostinger entirely, you may ask them to do so by sending a message on “gdpr@hostinger.com”.
Now, it is crucial to understand that while SHA-2 is a strong and reliable form of encryption, you should not rely on it. When resetting your credentials, use a new password that you haven’t used anywhere else before. Remember, password managers are your friends in situations like this as they can generate robust passwords and keep them stored for you, so consider your options and start using one today. If you are using the same password that you had set for Hostinger on other online platforms, you should change it immediately.
Do you have something to say on the above? Let us know of your opinion in the comments down below, or on our socials, on Facebook and Twitter.