Hostinger said it has reset customer passwords as a “precautionary measure” after it detected unauthorized access to a database containing data on millions of its customers.
The breach is said to have happened on Thursday. The company said it received an alert that one of its servers was improperly accessed. Using an access token found on the server, which can give access to systems without needing a username or a password, the hacker gained further access to the company’s systems, including an API database containing customer usernames, email addresses, and scrambled passwords.
Hostinger the API database had about 14 million customers records. The company has more than 29 million customers on its books.
“We have restricted the vulnerable system, and such access is no longer available,” said Daugirdas Jankus, Hostinger’s chief marketing officer, in a blog post.
“We are in contact with the respective authorities,” said Jankus.
News of the breach first broke overnight. According to the company’s status page, affected customers will be contacted by email to reset their passwords.
The company also said that financial data wasn’t taken in the breach, nor was customer website files or data affected.
But one customer who contacted TechCrunch about the breach accused the company of being potentially “misleading” about the scope of the breach.
A chat log seen by TechCrunch shows a customer support representative telling the customer it was “correct” that financial data can be retrieved by the API but that the company does “not store any payment data whatsoever.” Hostinger uses multiple payment processors, the representative told the customer, but did not name them.
“They say they do not store payment details locally, but they have an API that can pull this information from the payment processor and the attacker had access to it,” said the customer.
We’ve reached out to Hostinger for more, but a spokesperson didn’t immediately comment when reached by TechCrunch.