Due to the detection of an unauthorized access to the database that stores its customers’ information, and as a measure of preventing future cyberattacks, the web hosting company Hostinger forced a massive password reset of an important part of its 14 million users, digital forensics experts report.
Through a statement, the Lithuania-based company mentioned: “An unauthorized third party gained access to the API of our internal systems, which ultimately granted it access to our users’ encrypted passwords, among other data related to service payment”. The company was founded in 2004 and has nearly 30 million users in more than 170 countries.
This security incident was detected a couple of weeks ago, although the company was notified until August 23 by a group of digital forensics experts. Threat actors reportedly would have used an authorization token on the server to access the company’s systems without using access credentials; the hackers subsequently performed a privilege escalation attack to gain greater access to Hostinger systems.
This attack gave the threat actors full control of an API server, allegedly used to query some details about customer accounts, such as names, email addresses, phones, encrypted passwords, and Hostinger IP addresses. The company asserts that financial data and information about its customers’ web domains has not been affected during this incident.
The company’s spokespersons claim that their systems do not store details of their customers’ payment cards, as the responsibility of managing these details was granted to third-party vendors which have “the best security and service certifications”; however, Hostinger refrained from disclosing the names of these providers. In a subsequent digital forensics report, the company mentioned that this access was suppressed, the API was secured and related systems are being constantly monitored by its IT team.
As for the compromised access, specialists mention that a server might generate a digitally signed authorization token to verify its authenticity to access a server with admin privileges. On the other hand, the company states that its internal investigation is still in progress: “We are implementing new security protocols and establishing stricter controls for access to our networks and servers”. In addition, Balys Kriksciunas, CEO of Hostinger, mentions that the exact number of customers affected “due to the characteristics of this security breach” is still unknown. The company has already notified most affected customers via email, and has also published constant updates about the incident through its website and social media profiles.
International Institute of Cyber Security (IICS) digital forensics specialists mention that there is a risk that compromised information could be used in spear phishing campaigns, so they recommend potentially affected users stay alert about sending malicious emails, as well as establish tighter controls for controlling their Hostinger websites, such as multi-factor authentication, or any other security option.