Web hosting provider and internet domain registrar Hostinger International has disclosed that an unauthorised third party has breached its internal system API and gained access to data belonging to roughly 14 million users.
In a blog post announcement, the company said that it received an alert on 23 August that someone had accessed one of its servers. "This server contained an authorisation token, which was used to obtain further access and escalate privileges to our system RESTful API Server," the company stated. "This API Server is used to query the details about our clients and their accounts."
In addition to hashed passwords, affected information included usernames, emails, first names and IP addresses. Financial data was not affected because Hostinger outsources financial transactions to third-party payment providers. Hostinger Client accounts and data stored on those accounts were also apparently spared.
Even though the passwords were hashed, Hostinger still reset all of its clients’ login passwords. The company also said that it has been engaged with law enforcement, hardened server and network settings and "restricted the vulnerable system" such that "access is no longer available."
This article was originally published on SC Media US.