On August 23 web hosting provider Hostinger announced suffering a significant data breach that could have potentially affected a huge number of its customers. In the wake of the incident, Hostinger reset its users' passwords as a safety measure.
The official statement from the hosting company informed that a hacker gained access to Hostinger's internal API and through that reached a server containing hashed passwords, as well as additional "non-financial" customer information. The extent of the affected information includes users' provided first and last names, as well as chosen usernames, their IP addresses, hashed passwords, and contact information. Passwords have been hashed using the SHA-1 algorithm.
The newly reset passwords and any custom passwords customers will use going forward will be hashed using SHA-2, in an effort to improve security. The announcement makes sure to underline that financial information, including card details and user bank account information has not been compromised. However, the "contact information" that was accessed by the bad actors includes emails, addresses, and phone numbers, which constitute personally identifiable information.
As history will reveal to us, data breach cases are relentless and have not slowed down in the recent years. Just a couple of months ago Capital One was the brunt of an attack that affected upwards of 100 million customers potentially unleashing data to hackers. Fortunatly for the Captial One attack, the hacker responsible for the incident has been captured and faces judgement.
Hostinger has estimated that around 14 of its 29 million customers may have been affected by the data breach. The company has already hired external experts as well as engaged its own security specialists and is conducting an investigation. There is still no further information concerning the identity or origin of the attackers, or the exact scope of information that was accessed and potentially downloaded from Hostinger's servers.