Cyber Incident Victim: Hostinger
Date:
Aug 2019
Location:
Lithuania
Summary
A web hosting provider experienced a security breach where an attacker compromised an internal server, obtaining an authorization token to access an internal API. This unauthorized access potentially exposed personal data of approximately 14 million users, including usernames, IP addresses, names, contact details, and hashed passwords. No financial information or customer-hosted sites were affected. The company enforced password resets for all accounts as a precautionary measure, citing insufficient logs to confirm the exact scope of data access. The breached server and API were decommissioned following incident discovery, with ongoing investigations continuing to assess the full impact.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On August 23, 2019, Hostinger discovered a security breach involving unauthorized access to an internal server. An attacker obtained an authorization token for an internal API, which was subsequently exploited to execute API calls targeting a customer database. The compromised database contained personal information of approximately 14 million users, including Hostinger usernames, first and last names, IP addresses, and contact details such as email addresses, phone numbers, and physical addresses. Hashed password data was also stored in the affected system. Hostinger confirmed the attacker did not access financial information or compromise customer-hosted websites. The company initiated immediate containment by shutting down the breached API server and associated infrastructure to prevent further unauthorized activity.
Hostinger enforced password resets for all customers whose accounts fell within the API server's access perimeter, adopting a worst-case scenario approach despite lacking definitive evidence of specific data exfiltration in system logs. CEO Balys Kriksciunas stated the absence of recorded malicious API calls complicated precise impact assessment, necessitating broad remediation measures. The company established a dedicated status page to provide real-time breach updates to customers while internal and external investigations continued. Hostinger emphasized the preliminary nature of findings and refrained from disclosing additional technical specifics due to the active investigation. No evidence suggested customer website tampering or financial system compromise during the incident.