The details of about 14 million customers of web hosting provider Hostinger International Ltd. have been compromised by a “security incident” that took place on Aug. 23.

To its credit, Hostinger has been upfront with customers in its disclosure, writing Sunday that one of its servers had been accessed by an unauthorized third party.

“This server contained an authorization token, which was used to obtain further access and escalate privileges to our system RESTful API Server*,” Hostinger wrote. “This API Server* is used to query the details about our clients and their accounts.”

The company added that the application programming interface database, which includes client usernames, emails, hashed passwords, first names and IP addresses, was accessed by the third party. Also, the database table that holds client data has information about 14 million Hostinger users, though the data stolen did not include any financial data.

While not disclosing the method of cryptographic hashing used to protect user passwords, Hostinger is forcing all users to reset their passwords as a “precautionary measure.”

Explaining the methodology of the hack, Stephen Gates, cybersecurity evangelist at security software company Checkmarx Ltd., told SiliconANGLE that the APIs were apparently secured using tokens designed to protect them from unauthorized access.

“The real question is how an attacker gained unauthorized access to a ‘server’ where the tokens were stored,” he said. “The likelihood of an attacker exploiting a software vulnerability to gain access to the server in question is quite high since it’s one of the many possible methods of obtaining a foothold into an organization.”

Even though Hostinger has taken steps to reset passwords, he added, users who employ the same password across multiple accounts would be advised to change those as well.

George Avetisov, chief executive officer of cybersecurity company HYPR Corp., noted that this is yet another unwelcome example of the security issues created by the very nature of password- and shared secret-based user authentication.

“Once this sensitive user information finds its way onto the dark web, it allows other hackers to leverage and weaponize it against more unrelated enterprises in credential stuffing attacks which cause all kinds of disruptions from financial fraud via account takeover to more mass data breaches to nation-state espionage,” Avetisov added. “Unfortunately, until enterprises realize the inherent lack of security of passwords and shared secrets, we, the users, will continue to experience the widespread dangers of keeping these 60-year-old systems in place.”

Image: Hostinger