Hostinger, one of the biggest web hosting providers on the internet, has disclosed today a security incident that impacted its platform and users.
In a blog post today, the company said a hacker gained access to an internal server, where he found an authorization token for an internal API, which he later used to make “API calls affecting information about Clients.”
The company said the hacker made API calls against a database storing the personal information of about 14 million customers, such as Hostinger usernames, customers’ IP addresses, first and last names, and contact information such as phone numbers, emails, and home addresses.
The database also stored information about user passwords in a hashed format.
As a result, the web hosting provider said it decided to forcibly reset passwords for all impacted accounts, as it discovers affected customers.
At the time of this article’s publication, the company did not provide an exact number of impacted users, but password reset emails have started rolling out, with several users reporting receiving them on Twitter.
Hostinger said the hacker(s) did not get their hands on financial data, nor did they compromise customer sites.
The incident was discovered on Friday, August 23. Hostinger has set up a status page where customers can track up to the minute updates regarding this security breach.
The company said the breached server and API have been taken down.
“We have assembled a team of internal and external forensics experts and data scientists to investigate the origin of the incident and increase security measures of all Hostinger operations,” it said. “As required by law, we are already in contact with the authorities.”
A request for additional comment sent by ZDNet to Hostinger was not returned in time for this article’s publication.