On August 25th, Hostinger, one of the biggest hosting providers in the market, has disclosed that it has discovered a security vulnerability.
According to the Hostinger blog post, the hackers have gained access to the system's internal server. From there, they were able to enter an internal API - meaning that they could access private information on Hostinger's clients.
The affected database has included information on about 14 million of the platform's users.
The data included customer usernames, general contact information, and encrypted passwords. And while Hostinger states that no sensitive user data has been leaked, millions of users have received emails stating that their existing passwords have been reset.
According to Hostinger, the investigation is still ongoing, so at this stage, it is unknown who is responsible for the security incident.
But there are a lot of things we need to unpack. Let's have a deeper look - should you be worried about this Hostinger security vulnerability?
What data has leaked?
If you're one of the 14 million users affected by the leak, you may be interested in what data has and hasn't been affected by this issue. Here's the current list:
Data that could've potentially been accessed:
- Client usernames
- User emails
- First names of the users
- IP addresses the clients have used
- Hashed passwords (not the real passwords themselves)
Data that couldn't have been accessed:
- Information on the website the clients have
- User financial data
- Information on the domains and emails
Overall, with this incident, the attackers will know that you are a Hostinger client - however, they won't know what you host.
All the payment data, such as credit card information, is safe. That's because Hostinger doesn't actually do the payment processing itself and does not store any users' financial data on its servers - instead, everything's done via external payment processors that haven't been affected by the breach.
What should Hostinger users do?
Well - they should do as they're told and change the password as soon as possible. Make sure to stay alert, and follow the company's official blog post, status page, and social media outlets to stay updated.
Also, use common sense practices, such as different passwords for different platforms, or utilize a password manager tool.
But what's the big fuss about the passwords?
As we've already gathered, they didn't leak to the public. So why would the users need to change their passwords as soon as possible? Even the online security expert Troy Hunt found this to be slightly unusual.
Data breach at @HostingerCOM. "We use a cryptographic hash function to encrypt all our Client passwords. It is a one-way mathematical function that converts your password to a seemingly random sequence of characters"
But, uh, we reset passwords anyway...https://t.co/qj0UmjDDDP
— Troy Hunt (@troyhunt) August 25, 2019
We contacted Hostinger to find out more - and according to the company, the password reset is a standard precautionary security practice.
According to Hostinger, this is a standard procedure. And good news if you're using social media to login to Hostinger - that information is safe and won't be accessed. So you don't need to change your Google password because of this.
What has been done in order to protect the data?
The passwords of the users were encrypted with an SHA-1 protocol.
So, it seems that Hostinger has used this opportunity to do a bit of an upgrade - now all the passwords will be encrypted with the SHA-2 protocol.
In addition to that, the Hostinger team has already assembled data scientists and cybersecurity experts to investigate the incident and help apply the additional security measures for the future. That's to make sure that if a similar thing happens in the future, hackers would not be able to access not only the passwords but all the personal data as well.
However, we have assembled a team of internal and external experts to investigate the origin of the incident and increase security measures of all Hostinger's operations, so that similar issues would not happen in the future.
— Daugirdas Jankus, CMO
Such issues are fairly common
Similar accidents happen from time to time. Actually, it appears that a similar incident has affected a web security product provider Imperva. In Imperva's blog post, CEO Chris Hylen mentions that they've been hit by a very similar security incident.
Also, just March this year, we have reported on a cPanel hosting vulnerability affecting most of the major providers in the world
And previously in the year, Bluehost, DreamHost, Hostgator, OVH, and iPage were all reported to have vulnerabilities that allowed third parties to hijack hosting accounts.
At the end of the day, these issues are going to happen. What is important, however, is how the companies react to them. The quicker and the tougher the response, the better. And while it is disappointing to see Hostinger affected by this, the response is very encouraging.
We'll be looking to see what happens in the future - this article is going to be updated with new information.