Skip to content
by
  • Products
  • Free Tools
  • Search
  • Free Sophos Home
XG Firewall
Next-Gen Firewall
Intercept X
Next-Gen Endpoint
  • Sophos Cloud Optix
  • Sophos Central
  • Sophos Mobile
  • Intercept X for Server
  • Secure Wi-Fi
  • Phish Threat
  • SafeGuard Encryption
  • Secure Email
  • SG UTM
  • Secure Web Gateway
For Home Users

Sophos Home protects every Mac and PC in your home

Learn More
Free Security Tools
Free Trials
Product Demos
Have you listened to our podcast? Listen now

Hostinger upgrades password security after 14m accounts breached

27 Aug 2019 1 Data loss, Security threats

Post navigation

Previous: Court squeezes $1 million back from convicted phisher
Next: GitHub joins WebAuthn club
by John E Dunn

Over the weekend, millions of customers of web hosting company Hostinger started receiving emails bearing the bad news that their passwords were being reset after a data breach.

According to Hostinger, 14 million of its users are affected by the reset, which became necessary after attackers gained access to an API server on 23 August 2019.

This server contained an authorization token [for a database], which was used to obtain further access and escalate privileges to our system RESTful API Server.

This database contained details of customer accounts, including usernames, email addresses, first names, IP addresses, and hashed passwords.

What this means in practical terms is that anyone whose accounts were among those 14 million will need to reset their Hostinger Client password before they can log in.

Hostinger has said it has sent password reset instructions to all its Client users.

These are hosting accounts for numerous business and personal websites (including their domain and email management), so it’s critical that this is done without delay. So far at least:

Hostinger Client accounts and data stored on those accounts (websites, domains, hosted emails, etc.) remained untouched and unaffected.

Making a hash

Hostinger states that the account passwords were hashed without specifying how this was done. As we’ve discussed in previous articles, some hashing functions are more secure than others.

One news site quotes a customer as having asked Hostinger support which function was used to hash the passwords, receiving the answer:

We used SHA-1, but all passwords have been reset to SHA-256.

Collision attacks (a hypothetically faster way to crack hashes than simple brute-forcing) have been eroding the safety of SHA-1 for years to the extent that big internet companies have readied it for the scrapheap.

Belatedly, Hostinger announced plans to investigate the origins of the latest incident with a view to improving security. For updates on the incident, refer to the company’s status page.

OTHERS STOP AT NOTIFICATION. WE TAKE ACTION
Get 24/7 managed threat hunting, detection, and response delivered by Sophos experts
Learn more

Ongoing risks

It’s good that Hostinger spotted the breach quickly and has mandated a password reset. Unfortunately, the risk to customers doesn’t stop there.

The attackers have enough information on customers from the other fields on the database to launch convincing phishing attacks, including ones designed to look like security alerts from Hostinger itself.

Our advice is to be extremely cautious about any emails that claim to be from a hosting company or domain registrar. Always access portals from the company’s domain and not via an email link.

000Webhost

Nearly four years ago a subsidiary of Hostinger, 000Webhost, suffered a similar data breach that affected 13 million of its customers.

The breach wasn’t noticed for five months but, worse, it emerged that account passwords had been stored in plain text with no security mechanism applied. As with Hostinger, the company said it would be upgrading its security going forward.

It never hurts to ask about this aspect of account security before choosing a hosting provider.

  • Follow @NakedSecurity on Twitter for the latest computer security news.

  • Follow @NakedSecurity on Instagram for exclusive pics, gifs, vids and LOLs!

Free tools

Sophos Home

Sophos Home

Protect personal PCs and Macs
Hitman Pro

Hitman Pro

Find and remove malware
Sophos Intercept X for Mobile

Intercept X for Mobile

Protect Android devices

Post navigation

Previous: Court squeezes $1 million back from convicted phisher
Next: GitHub joins WebAuthn club

One comment on “Hostinger upgrades password security after 14m accounts breached”

  1. Cassandra says:
    August 29, 2019 at 5:19 pm

    It never hurts to ask about this aspect of account security before choosing a hosting provider.

    Should we have to ask (a rep could say anything), or should they publish anyway as part of their list of features (“We comply with the requirements of ….”)?
    Publishing is surely only a security issue if they have rubbish security?
    Is there a standard (NIST/ISO/PAS/IETF etc.) for good practice in this area?

    Reply

What do you think? Cancel reply

Recommended reads

Nov06
by Paul Ducklin
3

Black Friday – stay safe before, during and after peak retail season

Oct29
by Paul Ducklin
0

Buer Loader “malware-as-a-service” joins Emotet for ransomware delivery

Oct16
by Paul Ducklin
0

S3 Ep2: Creepy smartwatches, botnets and Pings of Death [Podcast]

  • About Naked Security
  • About Sophos
  • Send us a tip
  • Cookies
  • Privacy
  • Legal
  • Intercept X
  • Intercept X for Server
  • Intercept X for Mobile
  • XG Firewall
  • Sophos Email
  • Sophos Wireless
  • Managed Threat Response
  • Cloud Optix
  • Phish Threat
© 1997 - 2021 Sophos Ltd. All rights reserved. Powered by WordPress.com VIP