[BreachExchange] Web host Hostinger says data breach may affect 14 million customers

Destry Winant destry at riskbasedsecurity.com
Mon Aug 26 10:15:13 EDT 2019


Hostinger said it has reset user passwords as a “precautionary
measure” after it detected unauthorized access to a database
containing information on millions of its customers.

The breach is said to have happened on Thursday. The company said in a
blog post it received an alert that one of its servers was improperly
accessed. Using an access token found on the server, which can give
access to systems without needing a username or a password, the hacker
gained further access to the company’s systems, including an API
database. That database contained customer usernames, email addresses,
and passwords scrambled with the SHA-1 algorithm, which has been
deprecated in favor of stronger algorithms after researchers found
SHA-1 was vulnerable to spoofing. The company has since upgraded its
password hashing to the stronger SHA-2 algorithm.

Hostinger said the API database stored about 14 million customers
records. The company has more than 29 million customers on its books.

The company said it was “in contact with the respective authorities.”

News of the breach broke overnight. According to the company’s status
page, affected customers have already received an email to reset their

The company said that financial data was not compromised, nor was
customer website files or data affected.

But one customer who was affected by the breach accused the company of
being potentially “misleading” about the scope of the breach.

A chat log seen by TechCrunch shows a customer support representative
telling the customer it was “correct” that customers’ financial data
can be retrieved by the API but that the company does “not store any
payment data.” Hostinger uses multiple payment processors, the
representative told the customer, but did not name them.

Chief executive Balys Kriksciunas told TechCrunch that the remarks
made by the customer support representative were “misleading” and
denied any customer financial data was compromised. A company
investigation into the breach, however, remains under way.

More information about the BreachExchange mailing list