Over the weekend, millions of customers of web hosting company Hostinger started receiving emails bearing the bad news that their passwords were being reset after a data breach.
According to Hostinger, 14 million of its users are affected by the reset, which became necessary after attackers gained access to an API server on 23 August 2019.
This server contained an authorization token [for a database], which was used to obtain further access and escalate privileges to our system RESTful API Server.
This database contained details of customer accounts, including usernames, email addresses, first names, IP addresses, and hashed passwords.
What this means in practical terms is that anyone whose accounts were among those 14 million will need to reset their Hostinger Client password before they can log in.
Hostinger has said it has sent password reset instructions to all its Client users.
These are hosting accounts for numerous business and personal websites (including their domain and email management), so it’s critical that this is done without delay. So far at least:
Hostinger Client accounts and data stored on those accounts (websites, domains, hosted emails, etc.) remained untouched and unaffected.
Making a hash
Hostinger states that the account passwords were hashed without specifying how this was done. As we’ve discussed in previous articles, some hashing functions are more secure than others.
One news site quotes a customer as having asked Hostinger support which function was used to hash the passwords, receiving the answer:
We used SHA-1, but all passwords have been reset to SHA-256.
Collision attacks (a hypothetically faster way to crack hashes than simple brute-forcing) have been eroding the safety of SHA-1 for years to the extent that big internet companies have readied it for the scrapheap.
Belatedly, Hostinger announced plans to investigate the origins of the latest incident with a view to improving security. For updates on the incident, refer to the company’s status page.
Ongoing risks
It’s good that Hostinger spotted the breach quickly and has mandated a password reset. Unfortunately, the risk to customers doesn’t stop there.
The attackers have enough information on customers from the other fields on the database to launch convincing phishing attacks, including ones designed to look like security alerts from Hostinger itself.
Our advice is to be extremely cautious about any emails that claim to be from a hosting company or domain registrar. Always access portals from the company’s domain and not via an email link.
000Webhost
Nearly four years ago a subsidiary of Hostinger, 000Webhost, suffered a similar data breach that affected 13 million of its customers.
The breach wasn’t noticed for five months but, worse, it emerged that account passwords had been stored in plain text with no security mechanism applied. As with Hostinger, the company said it would be upgrading its security going forward.
It never hurts to ask about this aspect of account security before choosing a hosting provider.
Cassandra
It never hurts to ask about this aspect of account security before choosing a hosting provider.
Should we have to ask (a rep could say anything), or should they publish anyway as part of their list of features (“We comply with the requirements of ….”)?
Publishing is surely only a security issue if they have rubbish security?
Is there a standard (NIST/ISO/PAS/IETF etc.) for good practice in this area?
Juan Adolfo Bernardo
Can Sophos Email Security support Hostinger email servers?
Paul Ducklin
In theory, you can use Sophos Email Security with any email provider as long as you have control over the DNS record of your email domain name. (Simply put, if you can redirect your MX record to us first, then we can filter and “securify” your email before it even gets to your email hosting company.)