Security Incident: What We Did to Improve Security of Our Infrastructure

Security Incident: What We Did to Improve Security of Our Infrastructure

November 25th, 2019

We want to update you on what further steps are being taken to ensure the future security of Hostinger’s clients and services, along with what our teams have learned while revising the security vulnerability issues that caused the incident. This is just the beginning of our security improvement roadmap. Here is what we have done so far:

  1. We have rewritten a considerable amount of our backend system code and removed a lot of dependencies on external libraries that had the potential to be vulnerable.
  2. We have assembled a dedicated cybersecurity team. They are constantly monitoring our systems and are performing internal security tests to find any possible loopholes. This has dramatically raised the awareness of our staff to be more vigilant and cautious.
  3. We are implementing auto-rotatable system passwords (Hashicorp Vault), so any system-critical login credentials are only valid for a period of up to 2-3 days.
  4. We are rolling out a Two-Factor Authentication feature for our clients over the following two weeks. It will allow our users to set 2FA for their services, so it will be no longer sufficient to use your login credentials only.
  5. We are moving out any client-sensitive data, such as emails, names, and surnames outside to a separate database, which can only be accessed through a strictly audited channel. Calls to this database will be minimized since 99% of actions on our platform do not require this information and can solely rely on the Client ID of our users.
  6. We have removed a lot of deprecated code and logic, minimizing many attack vectors.
  7. As mentioned previously, we have rotated all of the credentials on our systems, decreased access rights for our staff, so any user on the system can only access the necessary amount of resources.
  8. We are implementing Bastion servers to reduce direct connections to servers and reducing the number of systems that have access to internal systems.

As you can see, some efforts are still ongoing since we are prioritizing sustainable and smooth implementation. We aim to finalize these changes before the start of 2020 while planning other security improvements for the future. We will make sure that all Hostinger clients will be informed on the latest changes on our blog so they can begin using these new features as soon as possible.

Finally, we would like to thank our entire community for the utmost patience, trust, help, and feedback provided during the incident. We would not be where we are now without all of you.

August 25th, 2019

We have reset all Hostinger Client passwords as a precautionary measure following a recent security incident. We are taking this extremely seriously and want to let everyone know what has happened and the immediate steps we have taken to protect our clients’ security.

During this incident, an unauthorized third party gained access to our internal system APIs. One of them had access to hashed passwords and other non-financial data about our customers.

We have restricted the vulnerable system, and such access is no longer available.

We are also in contact with the respective authorities.

What Happened?

On August 23rd, 2019 we received informational alerts that one of our servers had been accessed by an unauthorized third party. This server contained an authorization token, which was used to obtain further access and escalate privileges to our system RESTful API Server*. This API Server* is used to query the details about our clients and their accounts.
*[Latest Edit on 2019-08-25 17:43 UTC]

The API database, which includes our client usernames, emails, hashed passwords, first names, and IP addresses was accessed by an unauthorized third party. The respective database table that holds client data, has information about 14 million Hostinger users.

We Have Reset All Client Passwords as a Precautionary Security Measure

We use a cryptographic hash function to encrypt all our client passwords. It is a one-way mathematical function that converts your password to a seemingly random sequence of characters. However, as per standard and precautionary security practices, we have reset all Hostinger client login passwords. We have sent emails to all Hostinger clients with further information regarding the password reset.

Hostinger Client Financial Data Is Safe

Payments for Hostinger services are made through authorized and certified third-party payment providers. It means that we never store any payment card or other sensitive financial data on our servers and it has not been accessed or compromised.

Hostinger Client Websites and Data Are Not Affected

We completed a thorough internal investigation. Hostinger client accounts and data stored on them (websites, domains, hosted emails, etc.) remained untouched and unaffected.

What Steps We Have Taken So Far

Following the incident, we have identified the origin of the unauthorized access and have taken necessary measures to protect data about our clients. This includes a mandatory password reset for our clients and systems within all of our infrastructure.

Furthermore, we have assembled a team of internal and external forensics experts and data scientists to investigate the origin of the incident and increase the security measures of all Hostinger operations. As required by law, we are already in contact with the authorities.

The investigation is still in its early stages. All updates regarding this security incident will be posted in this blog, on our status page, and sent directly to our clients via email and across other channels.

What Our Clients Can Do to Further Secure Their Accounts

Following the password reset, we urge our clients to choose strong passwords that are not utilized elsewhere. Clients should be cautious of any unsolicited communications that ask for your login details, personal information, or refer you to a website asking for the above information. We also strongly suggest not clicking on the links or downloading attachments from suspicious emails.

We remind our clients not to use the same passwords on multiple service providers across the web and to generate strong unique passwords with password management tools.

If you have further questions regarding the security of your account, you may contact the Hostinger Help Center which is available 24/7.

We will be updating this blogpost regularly with important updates regarding this security incident.

If you have any further questions, please refer to Hostinger Help Center.

For media inquiries, please contact press@hostinger.com.

If you wish to delete your personal data from Hostinger, please contact gdpr@hostinger.com.

Author
The author

Daugirdas J.

Daugirdas is the Chief Marketing Officer at Hostinger. With plenty of experience scaling business operations around the world, he loves the fast-paced startup environment and is always looking for new opportunities to drive Hostinger’s growth. Daugirdas values effectiveness, brevity, and honesty – they guide his approach to business as much as his love for rock & roll.