Web hosting provider and Internet domain registrar Hostinger reset all Hostinger Client passwords following a security incident.
On 23 August, Hostinger learned from an informational alert that an unauthorized party had gained access to one of its servers. That server contained an authorization token which the party then used to escalate their privileges and interact with the RESTful API Server, an asset used by the company to query details about clients and their accounts. This server included Client usernames, emails, hashed passwords, first names and IP addresses of approximately 14 million users.
The web hosting provider confirmed that the security incident did not affect Clients’ financial data, websites or website data.
After learning of the security event, Hostinger identified the source of unauthorized access. It then assembled a team of internal and external experts to explore this origin point and to secure the company’s systems so as to prevent similar incidents from occurring in the future. It also notified law enforcement about the instance of unauthorized access.
Lastly, Hostinger took measures to protect Client data by instituting a mandatory password reset for all Clients and systems within its infrastructure. The company provided some context on this particular decision in a statement related to the incident:
Following the password reset, we urge our Clients to choose strong passwords that are not utilized on other websites. Clients should be cautious of any unsolicited communications that may ask for your login details, personal information or refer you to a website asking for the above-mentioned information. We also strongly suggest to avoid clicking on the links or downloading attachments from suspicious emails.
To make sure they come adequately protect their accounts against unauthorized access, users should not reuse passwords across multiple web services. They should also ideally generate strong passwords and leverage a password management tool to remember these combinations for them. For additional password best practices, click here.