The web hosting provider Hostinger announced that it was forced to reset over 14 million customer logins. The incident occurred on August 23rd when a third party was able to access usernames, hashed passwords, email addresses, first names, and IP addresses. The breach was possible because the affected server had an authorization token that allowed access and privilege escalation that allows queries about clients and their accounts, phone numbers, home, and business addresses. Hostinger forced a password reset in response to this breach for all of its clients. According to the hosting service, financial data and financial websites were not involved. Hostinger uses a third-party payment portal and an investigation showed that it was not affected. The information stolen could be used by attackers to perform several styles of attacks, such as credential stuffing which is where the attacker attempts to use the login credentials on multiple sites in an attempt to access information. Currently, an investigation is underway to pinpoint the breach point and how to secure it properly.
Analyst Notes
Clients are required to reset their passwords due to the forced reset. Password managers can assist users in recommending very complex passwords and store them on a physical device for safekeeping. It is also recommended to enable two-factor authentication (2FA) whenever possible.
