Webhosting company Hostinger has reset the passwords of users. This happened after third parties were able to gain unauthorized access to a database containing the data of several million users.
A company blog post reports that the incident took place on 23 August. Externals were able to obtain an access token from a hacked server that allowed them to penetrate the company’s system. This in turn meant that cybercriminals were given access to an API of Hostinger’s internal system. It showed hacked passwords and other user data for cybercriminals. Other data that leaked included e-mails, usernames and first names of 14 million customers.
Hostinger also reports that all financial data of users has not been put on the street, because payments are made via third-party providers. The company also states that Hostinger did not endanger client accounts or the associated data.
Security research
Internally, a research group has been formed with the help of external experts to find out how the data leak originated. Based on the results of the research, the security measures at Hostinger will be adapted and/or improved. In the meantime, affected users have all received an email that tells them they need to make a password change. Hostinger encourages users to choose passwords that are hard to crack. The use of recycled passwords is also strongly discouraged.
TechCrunch reports that the company used the SHA-1 algorithm for ‘scrambling’ passwords. However, this algorithm has been superseded by the SHA-2 algorithm for some time now. The SHA-1 algorithm is also vulnerable to ‘spoofing’, the falsification of user data by cyber criminals. Meanwhile, the SHA-1 algorithm has been replaced by SHA-2.
This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.