Hostinger, one of the biggest web hosting providers on the internet, has disclosed today a security incident that impacted its platform and users.
In a blog post today, the company said a hacker gained access to an internal server[1], where he found an authorization token for an internal API, which he later used to make "API calls affecting information about Clients."
The company said the hacker made API calls against a database storing the personal information of about 14 million customers, such as Hostinger usernames, customers' IP addresses, first and last names, and contact information such as phone numbers, emails, and home addresses.
The database also stored information about user passwords in a hashed format.
As a result, the web hosting provider said it decided to forcibly reset passwords for all impacted accounts, as it discovers affected customers.
At the time of this article's publication, the company did not provide an exact number of impacted users, but password reset emails have started rolling out, with several users reporting receiving them on Twitter.
Hostinger said the hacker(s) did not get their hands on financial data, nor did they compromise customer sites.
The incident was discovered on Friday, August 23. Hostinger has set up a status page[2] where customers can track up to the minute updates regarding this security breach.
The company said the breached server and API have been taken down.
"The reason it is difficult to determine the exact number of Clients because of the type of the breach," Balys Kriksciunas, CEO of Hostinger Group told ZDNet in an email.
"Our central system API server has been compromised and we know the attacker(s) may have crafted calls to extract