Security Incident: What You Need To Know
access_time
hourglass_empty
person_outline

Security Incident: What You Need To Know

August 25th, 2019

We have reset all Hostinger Client passwords as a precautionary measure following a recent security incident. We are taking this extremely seriously and want to let everyone know what has happened and the immediate steps we have taken to protect our Clients’ security.

During this incident, an unauthorized third party has gained access to our internal system API, one of which had access to hashed passwords and other non-financial data about our customers.

We have restricted the vulnerable system, and such access is no longer available.

We are in contact with the respective authorities.

What happened?

On August 23rd, 2019 we have received informational alerts that one of our servers has been accessed by an unauthorized third party. This server contained an authorization token, which was used to obtain further access and escalate privileges to our system RESTful API Server*. This API Server* is used to query the details about our clients and their accounts.
*[Latest Edit on 2019-08-25 17:43 UTC]

The API database, which includes our Client usernames, emails, hashed passwords, first names and IP addresses have been accessed by an unauthorized third party. The respective database table that holds client data, has information about 14 million Hostinger users.

We have reset all Client passwords as a precautionary security measure

We use a cryptographic hash function to encrypt all our Client passwords. It is a one-way mathematical function that converts your password to a seemingly random sequence of characters. However, as per standard and precautionary security practices, we have reset all Hostinger Client login passwords. We have sent emails to all Hostinger Clients with further information regarding password reset.

Hostinger Client financial data is safe

Payments for Hostinger services are made through authorized and certified third-party payment providers. It means that we never store any payment card or other sensitive Client financial data on our servers and it has not been accessed or compromised.

Hostinger Client websites and data are not affected

We completed a thorough internal investigation. Hostinger Client accounts and data stored on those accounts (websites, domains, hosted emails, etc.) remained untouched and unaffected.

What steps we have taken so far

Following the incident, we have identified the origin of unauthorized access and have taken necessary measures to protect data about our Clients, including mandatory password reset for our Clients and systems within all of our infrastructure.

Furthermore, we have assembled a team of internal and external forensics experts and data scientists to investigate the origin of the incident and increase security measures of all Hostinger operations. As required by law, we are already in contact with the authorities.

The investigation is still in its early stages. All updates regarding this security incident will be posted in this blog, on our status page, and sent directly to our Clients via email and across other channels.

What our Clients can do to further secure their accounts

Following the password reset, we urge our Clients to choose strong passwords that are not utilized on other websites. Clients should be cautious of any unsolicited communications that may ask for your login details, personal information or refer you to a website asking for the above-mentioned information. We also strongly suggest to avoid clicking on the links or downloading attachments from suspicious emails.

We remind our Clients not to use the same passwords on multiple service providers across the web and to generate strong unique passwords with password management tools.

If you have further questions regarding the security of your account, you may contact Hostinger help center which is available 24/7.

We will be updating this blogpost regularly with important updates regarding this security incident.

If you have any further questions, please refer to Hostinger Help center.

For media inquiries, please contact press@hostinger.com.

If you wish to delete your personal data from Hostinger, please contact gdpr@hostinger.com.

The Author

Author

Daugirdas Jankus / @daugirdasjankus

Related stories

Author

Ralph Vincent Reply

October 04, 2019

Thanks very much by you work. I apreciated this.

Author

Mohamed Hassan Reply

August 26, 2019

Thanks for the excellent effort. I am not sure why other users do not appreciate your promoted action. I do appreciate it though. I hope you can get to the bottom of this. We had experiences like this with other host providers and non have took action like you did. Well done. Keep up the great work.

Author

Jake Reply

August 25, 2019

Really appreciate the honesty of Hostinger. Changed everything from my side, going to stay with you guys. Best of luck,,,

Author

Ernestas Reply

August 25, 2019

good to know that you are hiring data scientists, but not security experts, after someone stole your clients data :)

Author

Naeem Reply

August 25, 2019

Hi, I am using social login - google login, is it possible to switch to login based on email id, i hate google

    Author

    Daugirdas Jankus

    Replied on August 25, 2019

    Hello, I am afraid I cannot answer this at the moment. However, I would recommend contacting Hostinger Help center - we will do our best to help you on the matter. Thanks!

Author

Daniel Reply

August 25, 2019

Hi, is there a reason for not encrypting userdate (e-mail, address and so on)?

    Author

    Daugirdas Jankus

    Replied on August 25, 2019

    Hello! Yes, there is. Some of the user data is not encrypted, because it is shown in different places all over your member's area. If encrypted, it would be not possible to decrypt it and show it on your member's area. However, we have assembled a team of internal and external experts to investigate the origin of the incident and increase security measures of all Hostinger operations, so that similar issues would not happen in the future.

Author

Dave Reply

August 25, 2019

Hi Received your email informing me of the attack, clicked the link (at the top of this page) to login to change my password, and it's come back with "User with this email does not exist". If I then click "Forgot Password?", I get "Client not found" How do I get past this? Thanks

    Author

    Daugirdas Jankus

    Replied on August 25, 2019

    Hello, that sounds like some kind of edge case. Please refer to Hostinger Help Center and we will take care of the matter. Thank you!

Author

tradecoin Reply

August 25, 2019

I received an email asking for a password reset I have to check the email name carefully to make sure it is not fake email

    Author

    Daugirdas Jankus

    Replied on August 25, 2019

    Hello, the email is not fake. Please follow the instructions in the email. All further updates will be posted in this blogpost. Thanks!

Author

Jordan Reply

August 25, 2019

Does this mean that my name, company name, IP addresses, phone, email, and home address/business address are now out in the public or on some hacker's sale stash?

    Author

    Daugirdas Jankus

    Replied on August 25, 2019

    Hello, what we know is that our Client database has been accessed, meaning the 3rd party could potentially retrieve such records with the access tokens he held. We have reset all Client passwords as a precautionary security measure, Hostinger Client financial data is safe and Hostinger Client websites and data are not affected. We will keep posting further updates in this blogpost.

Author

Alpaca Reply

August 25, 2019

So... when are we getting 2FA on Hostinger?

    Author

    Daugirdas Jankus

    Replied on August 25, 2019

    Hello and thank you for your comment! We use a cryptographic hash function to encrypt all our Client passwords. At the moment, we have reset all Client passwords as a precautionary security measure. We are planning to provide 2FA in the near future. The safest option is to use Social logins (Google, Facebook or Github). Anyone using Social logins do not need to change or even set their members area password.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Become a part of Hostinger now!