Popular web hosting provider Hostinger has been hit by a massive data breach, as a result of which the company has reset passwords for all customers as a precautionary measure.
The breach is said to have happened on Thursday. The company said in a blog post it received an alert that one of its servers was improperly accessed. Using an access token found on the server, which can give access to systems without needing a username or a password, the hacker gained further access to the company’s systems, including an API database. That database contained customer usernames, email addresses, and passwords scrambled with the SHA-1 algorithm, which has been deprecated in favor of stronger algorithms after researchers found SHA-1 was vulnerable to spoofing. The company has since upgraded its password hashing to the stronger SHA-2 algorithm.
Also, the company doesn’t currently offer two-factor authentication (2FA) for its customers’ accounts, though it says it is planning to provide this additional layer of security in the near future.
Hostinger reassured its customers that no financial data is believed to have been accessed as the company never stores any payment card or other sensitive financial data on its servers, adding that third-party payment providers handle payments for its services.
Following the password reset, the company is also urging its customers to set a strong and unique password for their Hostinger accounts and to be cautious of suspicious emails asking them to click on the links or download attachments, as well as any unsolicited communications asking for login details, or other personal information.