Almost 14 million customers of hosting provider Hostinger need to reset their passwords as a hacker got into their database.The incident occurred on August 23 and a third party was able to access usernames, hashed passwords, emails, first names, and IP addresses.
This was possible because the server had an authorization token that allowed access and privilege escalation to a RESTful API used for queries about customers and their accounts, including phone numbers and home address or business address.
Web host Hostinger says data breach may affect 14 million customers https://t.co/m5fl89g1ua pic.twitter.com/WHg0wWyRs8
— David Papp (@DavidPapp) August 26, 2019
With the usernames, SHA-1 hashed passwords, email addresses, names, and IP addresses of over 14 million Hostinger customers now breached, customers of Hostinger must immediately change their passwords along with any other accounts that they might have reused the same password on. Customers must also consider whether their accounts were fraudulently accessed on Hostinger and other locations online. The migration from a SHA-1 hashing scheme to SHA-256 will greatly improve the security of consumers’ passwords stored by Hostinger. In addition to the move to SHA-256 it’s important that the password is salted with unique information prior to being hashed to improve the security of the hash further.
Customers interested in mitigating the impact of the breach to their accounts must use unique and complex passwords with multifactor authentication where available. Once your login credentials are compromised, you must consider them compromised for every service provider where you reused the username and password combination. If you’re looking for help managing unique and complex passwords, a password manager like Lastpass or Onelogin can be extremely useful to help create and manage your passwords.
For service providers wishing to avoid sophisticated attacks that reuse the data from this breach, two-factor authentication can be combined with other security layers such as passive biometrics and behavioral analytics, so that if one layer fails, another layer of security takes over, protecting the customers\’ accounts even if the credentials have been stolen.
While two-factor authentication capabilities can help verify the user, behavioral analytics and passive biometrics allow you to learn and trust the user’s behavior both at login and across the session. This way you put the trust on the human instead of the device. With passive biometrics, customers are identified by their behavior online and not by static data such as passwords or one-time codes. This inherent behavior cannot be duplicated by hackers, even if they use correct static data, devaluing stolen credentials and protecting the customer account.
Two observations come to mind when reviewing the publicly available information on this security incident. The first is that this is yet another incident that exposes user information, which can then be used by attackers for a range of purposes. The second observation focuses on the explosive growth of API usage as organizations transition from monolithic to componentized or services oriented applications. APIs act as the connective tissue linking the different components to each other, apps to apps, public facing web forms and mobile apps to back end systems. Using APIs in this manner facilitates a more rapid and iterative application development methodology. In many cases the APIs are publicly accessible (and easily discoverable by attackers) yet it is not uncommon to find these APIs residing outside of the application security infrastructure, which is analogous to locking the front door, while leaving the side door unlocked. To be clear and fair to Hostinger, this does not appear to be the cause of this particular security incident, but we frequently see organizations applying rigorous security to their public facing web applications, but ignoring the APIs that lie just behind the HTML pages. Organizations must make sure that the API-based applications, and the digital assets they are accessing are protected consistently.