Web hosting company Hostinger is warning that a breach of one of its servers potentially gave bad actors access to the hashed passwords and personal data of more than 14 million customers.
Hostinger, a popular web, cloud and virtual private server hosting provider and domain registrar with 29 million+ users, has notified customers that it has reset all passwords after the unauthorized third party gained access to an internal system API server. The server contained hashed passwords and other non-financial data about customers.
As of Sunday, the company said that it is working with internal and external forensic teams to analyze network and server logs: “We are continuing our internal review, implementing new security procedures and hardening server and network settings,” it said in a website notice.
Hostinger first became aware of the breach on Friday after receiving informational alerts that one of its servers had been accessed by an unauthorized third party.
“This server contained an authorization token, which was used to obtain further access and escalate privileges to our system RESTful API server,” said Hostinger. “This API server is used to query the details about our clients and their accounts.”
The API database included client usernames, emails, hashed passwords, first names and IP addresses. The table held the information about 14 million Hostinger users, researchers said. What isn’t impacted is financial data, Hostinger client website accounts and data stored on those accounts (websites, domains and hosted emails).
The company said it has identified the origin of unauthorized access and the vulnerable system has since been secured.
While the passwords were protected by the SHA-1 algorithm, that protection mechanism is not 100 percent effective and has been found vulnerable to collision attacks.
“Immediately following the security incident, all Hostinger user passwords have been reset using SHA-256 hashing algorithm,” a Hostinger spokesperson told Threatpost. “Prior to the security incident, SHA-1 hashing algorithm was used to hash user passwords.”
While Hostinger has reset impacted customer passwords, security experts are urging anyone impacted to ensure that their potentially compromised passwords aren’t being re-used elsewhere — an issue that still affects hundreds of thousands of internet users, a recent Google study found.
Tim Erlin, vice president of product management and strategy at Tripwire, told Threatpost that the incident points to how “password reuse is a real problem.”
“When password hashes are copied, the risk is that an attacker will be able to crack those passwords and then use the information to authenticate to the compromised service, or to other services where those passwords are used,” he said. “If you’ve used the same password in multiple places, you may never know when or how your password was compromised.”
Justin Fox, director of DevOps Engineering for NuData Security, added that enabling multi-factor authentication is a good way for service providers to mitigate the risk of a compromised password.
“Two-factor authentication can be combined with other security layers such as passive biometrics and behavioral analytics, so that if one layer fails, another layer of security takes over, protecting the customers’ accounts even if the credentials have been stolen,” he said in an email. “While two-factor authentication capabilities can help verify the user, behavioral analytics and passive biometrics allow you to learn and trust the user’s behavior both at login and across the session.”
Interested in more on the internet of things (IoT)? Don’t miss our free Threatpost webinar, “IoT: Implementing Security in a 5G World.” Please join Threatpost senior editor Tara Seals and a panel of experts as they offer enterprises and other organizations insight about how to approach security for the next wave of IoT deployments, which will be enabled by the rollout of 5G networks worldwide. Click here to register.