Web hosting provider, Hostinger, alerted customers to unauthorized activity that gave someone (unknown) access to an API that contained 14 million customer usernames, email addresses, and passwords scrambled with the SHA-1 algorithm (which is more suspectable to a rainbow table attack and has been deprecated for a few years now).
Credit is due to Hostinger for not only quickly identifying the problem, they immediately resolved it and reset customer passwords and sent a notice to customers:
Hello,
We have reset your login password as a precautionary measure following a recent security incident. We are taking this extremely seriously and want to let you know what has happened and the immediate steps we have taken to protect your security.
Please click HERE to set Your new password.
During this incident, an unauthorized third party has gained access to our internal system API, one of which had access to hashed passwords and other non-financial data about our users. You can read more about the security incident in our blog post.
Your user data that has been affected by this security incident: username, IP address, first and last name, hashed password, and contact information (including email, address, phone number).
Your user data that has not been affected by this security incident: your financial data (including your credit card details); accounts and data stored on those accounts (websites, domains, hosted emails, etc.).
The investigation is still in its early stages. We have assembled a team of internal and ex- ternal forensics experts and data scientists to investigate the origin of the incident and in- crease security measures of all Hostinger operations. As required by law, we are already in contact with the authorities.
All updates regarding this security incident will be posted in our blog, on our status page, and sent directly to you via email and across other channels. We are sorry for any inconvenience caused. If you have any further questions, please refer to Hostinger help center.
Yours,
Hostinger Team
Perhaps the only thing they could have done better (other than upgrading their hash algorithm on the passwords), would be to make it more difficult for a single entitlement or scope to have the ability to read every record in an API. This is something everyone does, and it’s very difficult to find the balance between administrative oversight (the God credentials).
Hostinger’s blog posting on the topic (yes they did that right too) can be found here:https://www.hostinger.com/blog/security-incident-what-you-need-to-know/
And here are a few noteworthy news sources on the topic:
ZDNet: Hostinger resets customer passwords after security incidenthttps://www.zdnet.com/article/hostinger-resets-customer-passwords-after-security-incident/
Techcrunch: Web host Hostinger says data breach may affect 14 million customershttps://techcrunch.com/2019/08/25/web-host-hostinger-data-breach/
The Hacker News: Hostinger Suffers Data Breach – Resets Password For 14 Million Usershttps://thehackernews.com/2019/08/web-hosting-hostinger-breach.html