Hostinger Data Breach Affects Almost 14 Million Customers
Hosting provider Hostinger today[8/25 -ed] announced that it reset the login passwords of 14 million of its customers following a recent security breach that enabled unauthorized access to a client database.
The incident occurred on August 23 and a third party was able to access usernames, hashed passwords, emails, first names, and IP addresses.
Hostinger offered more details about the incident in a blog post today, saying that an unauthorized party accessed one of their servers and was then able to obtain further access to customer information.
This was possible because the server had an authorization token that allowed access and privilege escalation to a RESTful API used for queries about customers and their accounts, including phone numbers and home address or business address.
"The API database, which includes our Client usernames, emails, hashed passwords, first names and IP addresses have been accessed by an unauthorized third party. The respective database table that holds client data, has information about 14 million Hostinger users."
The password reset action is a precautionary measure and Hostinger clients received the notification and details on how to regain access to their account.
Financial data and websites have not been impacted in any way, the company says. Payment for Hostinger services is done through a third-party provider and an internal investigation found that data regarding websites, domains, hosted emails "remained untouched and unaffected."
[...] One security feature that Hostinger plans to add in the near future is support for two-factor authentication (2FA). This would ensure that the username and password alone are not enough to gain access to an account.
(Score: 2) by VLM on Wednesday August 28, @02:03PM
Journalists don't work too hard now a days. The wikipedia claims 29 million customers worldwide. This matches the /about page on their website. The report is 14 million rows of accounts, which is quite a mismatch.
The puzzler is the company offers two dozen distinct services across half a dozen separate datacenters world wide acting as a supplier or parent company to several resellers. To one sig fig. Anyway the point is the "full story" is obviously someone only gained access to the minecraft service AAA system or maybe only access to every service in the Netherlands datacenter or maybe only one resellers accounts.
Clearly, even if the details are never released, the hack impacted somewhat less than half the customers, regardless of specific details, which you'd think a journalist would follow up on, but...
Its possible its semi-misleading advertising. Maybe they only have 14 million billing accounts but 29 million service accounts. Or they had 29 million customers sign up since company formation and only 14 million at this instant are active and paying. We are probably never going to know.