SoylentNews is people
SoylentNews
Submitted via IRC for SoyCow4408
Hostinger Data Breach Affects Almost 14 Million Customers
Hosting provider Hostinger today[8/25 -ed] announced that it reset the login passwords of 14 million of its customers following a recent security breach that enabled unauthorized access to a client database.
The incident occurred on August 23 and a third party was able to access usernames, hashed passwords, emails, first names, and IP addresses.
Hostinger offered more details about the incident in a blog post today, saying that an unauthorized party accessed one of their servers and was then able to obtain further access to customer information.
This was possible because the server had an authorization token that allowed access and privilege escalation to a RESTful API used for queries about customers and their accounts, including phone numbers and home address or business address.
"The API database, which includes our Client usernames, emails, hashed passwords, first names and IP addresses have been accessed by an unauthorized third party. The respective database table that holds client data, has information about 14 million Hostinger users."
The password reset action is a precautionary measure and Hostinger clients received the notification and details on how to regain access to their account.
Financial data and websites have not been impacted in any way, the company says. Payment for Hostinger services is done through a third-party provider and an internal investigation found that data regarding websites, domains, hosted emails "remained untouched and unaffected."
[...] One security feature that Hostinger plans to add in the near future is support for two-factor authentication (2FA). This would ensure that the username and password alone are not enough to gain access to an account.
(Score: 2) by All Your Lawn Are Belong To Us on Wednesday August 28 2019, @11:54PM (2 children)
Not really understanding why it would be relevant to a journalist to understand or investigate why only part of their customers were affected by a breach? They only got one table but not another? Or any of the theories you advanced. The question is why any of that would be relevant to any reader of the story?
This sig for rent.
(Score: 2) by VLM on Friday August 30 2019, @02:06PM (1 child)
Well, fairly obviously, if I'm one of the 15 million people unaffected, a "scare story" about the company being completely powned is kinda misleading. Although from a clickbait perspective perhaps making it sound worse than it is would be an intentional editing decision.
Also from a financial reporting aspect, of course companies are never held responsible for lax security, but if there is any dollar figure cost to an incident, obviously the cost is half of the entire company.
As a developing story, its possible this is not the end and they haven't figured out what happened, thus they can't report its datacenter or service or whatevs which is also interesting.
(Score: 2) by All Your Lawn Are Belong To Us on Friday August 30 2019, @04:25PM
One could turn it around and say maybe the company should have stated the percentage of customers affected? Since the article quotes the press release of the company and doesn't seem to advise that they contacted the company at all, it does read like an article that was written without consulting the source beyond what is publicly available. I agree that the race to the lowest common denominator in journalism may have resulted in sloppiness or reporting.
The article may have been edited since original access. But I don't read anything in TFA which says the company was completely pwned. But I see your point.
This sig for rent.