The security breach took place on August 23 and may have impacted up to 14 million
“On August 23rd, 2019 we have received informational alerts that one of our servers has been accessed by an unauthorized third party. This server contained an authorization token, which was used to obtain further access and escalate privileges to our system RESTful API Server*. This API Server* is used to query the details about our clients and their accounts.
*[Latest Edit on 2019-08-25 17:43 UTC]” reads the announcement published by the company.
“The API database, which includes our Client usernames, emails, hashed passwords, first names and IP addresses have been accessed by an unauthorized third party. The respective database table that holds client data, has information about 14 million Hostinger users.
The attackers have compromised an internal server, where they found an authorization token for an internal API, then used the token to access customers’ information via API calls.
Exposed data included Hostinger
In response to the incident, the company
“We have reset all Hostinger Client passwords as a precautionary measure following a recent security incident.” reads the data breach notification published on the company website. “During this incident, an unauthorized third party has gained access to our internal system API, one of which had access to hashed passwords and other non-financial data about our customers.”
The company determined the affected system and locked out the attackers, the provider has immediately taken down the breached server and the abused API.
At the time of writing, the company is investigating the incident with the help of a team of external forensic experts, it also reported the hack to the authorities.