Hostinger said it has reset user passwords as a “precautionary measure” after it detected unauthorized access to a database containing information on millions of its customers.
The breach is said to have happened on Thursday.
The company said in a blog post it received an alert that one of its servers was improperly accessed.
Using an access token found on the server, which can give access to systems without needing a username or a password, the hacker gained further access to the company’s systems, including an API database.
That database contained customer usernames, email addresses, and passwords scrambled with the SHA-1 algorithm, which has been deprecated in favor of stronger algorithms after researchers found SHA-1 was vulnerable to spoofing.
The company has since upgraded its password hashing to the stronger SHA-2 algorithm.
Hostinger said the API database stored about 14 million customers records. The company has more than 29 million customers on its books.
The company said it was “in contact with the respective authorities.”
News of the breach broke overnight. According to the company’s status page, affected customers have already received an email to reset their passwords.
The company said that financial data was not compromised, nor was customer website files or data affected.
But one customer who was affected by the breach accused the company of being potentially “misleading” about the scope of the breach.
A chat log seen by TechCrunch shows a customer support representative telling the customer it was “correct” that customers’ financial data can be retrieved by the API but that the company does “not store any payment data.” Hostinger uses multiple payment processors, the representative told the customer, but did not name them.
Chief executive Balys Kriksciunas told TechCrunch that the remarks made by the customer support representative were “misleading” and denied any customer financial data was compromised. A company investigation into the breach, however, remains under way.