Today we received an email from our former hosting company Hostinger (we’ve used it only briefly for testing purposes) about personal data leak and global site-wide password reset campaign.
Hostinger.com API Data Leak – Personal User Data Stolen
This is somewhat similar to the 000webhost.com incident from four years ago, with few notable differences/exceptions:
- User data leak is limited to Hostinger Client account(s) alone, not entire websites/domains those users might have created and use(d)
- Passwords are stored in hashed format (obviously, they will not reveal which one, but you should know that various hashing algorithms vary in strength and they are not equally secure!)
- We now live in a GDPR era, which means that companies and organizations are required by law to report and keep track of all data breaches that they become aware off.
From Hostinger Blog
According to the official Hostinger’s blog, the compromised data is limited to:
- Client’s Email Address
- Client’s Username (for Hostinger Client Area)
- Client’s First Name
- Client’s Password (hashed with cryptographic algorithm)
What data IS NOT compromised / stolen / affected ?
- Client’s Credit Card Data & Other Online Payments (Hostinger never permanently stores this data, according to them)
- Client’s Web Services & Accounts
On August 23rd, 2019 we have received informational alerts that one of our servers has been accessed by an unauthorized third party. This server contained an authorization token, which was used to obtain further access and escalate privileges to our system RESTful API Server*. This API Server* is used to query the details about our clients and their accounts.
The API database, which includes our Client usernames, emails, hashed passwords, first names and IP addresses have been accessed by an unauthorized third party. The respective database table that holds client data, has information about 14 million Hostinger users.
On a severity scale, this is, of course, lesser incident than the one that happened with 000webhost, however, keep in mind that hashed passwords can be eventually cracked (converted into their original plain-text form), particularly, if the data represents certain interest to a group or an individual that has enough hardware and software resources to invest in breaking those passwords.
Since Hostinger initiated password reset protocol, there is virtually no chance that your account(s) and websites/applications will be affected in any reasonable time ahead, but still, those passwords contains patterns, which could be interesting to hackers and alike for future analysis and password algorithms optimizations for brute force cracking.
WHAT SHOULD I DO NOW ?
You should follow the password reset link in your email that you’ve received. Just in case – verify email headers (they must originate from hostingeremail.com) and make sure that the received email is legitimate, including the password reset link, which is a very long string of seemingly random letters and numbers:
Format of Hostinger’s incident password reset email link
This is a simple email tracking link (similar to tag manager), that will simply lead you to the following URL:
So, to cut yourself some trouble, you can directly go to above forgot-password reset page, without clicking any links from the received email (if you are careful and suspicious).
FINAL ADVICE / CONCLUSION
Everything we’ve said back then when this happened with 000webhost still holds true with Hostinger, or any other web company in general, when it comes to security breach.
Always, always, always use different passwords (and, ideally, emails) for important accounts and memberships. Do not repeat your passwords with different organizations, because if they breach password from one web site or service, they can know or guess the rest of them pretty easily — namely, email accounts like Gmail, social networks such as Facebook, Twitter, YouTube, Instagram, Snapchat etc. or popular e-commerce/shopping places.
Remember, in modern times, safety comes from you and your habits first, and only later from 3rd party service(s) that you use. You cannot always simply and blindly rely on anything or anyone when it comes to security and damage control in such incidents, but yourself.