The Latest / Data Security News
September 3, 2019
The Hostinger hack saw unauthorized access to a server result in the details of millions of people being exposed. How did the hack happen to the web hosting service last month, and what can we learn from the incident?
Unauthorized access on one of Hostinger’s servers gave a hacker possession of an access token. With that token, huge amounts of data were accessible to the perpetrator. Customer usernames, email addresses and passwords scrambled with the SHA-1 algorithm were all discovered by the hacker. Some 4 million customers are thought to be affected.
Exactly how the initial access into the server took place is not clear. Hostinger received an alert that indicated one of its server was ‘improperly accessed’. It’s anyone’s guess as to what that means, but these kinds of vulnerabilities are consistently occurring. Are organizations struggling to apply appropriate data access levels to their users?
More than that though, once in, hackers too often have free reign. Internal access control can sometimes be overlooked. As a result, one small breach leads to huge amounts of stolen data. And unfortunately, in this case, the passwords stored by Hostinger were encrypted with weaker SHA-1 algorithm which is being phased out by many.
Because of the weak encryption used in the Hostinger hack, the company has commenced mandatory password resets. The announcement of the reset came with recommendations of all the standard best practices we have all been confronted with before. Make sure you use a different password for this site than you do any other. Make it unique. Make it long etc.
Passwords on their own are not effective. At GDS we advocate multi-factor authentication solutions that combine something you know, something you have and something you are to authenticate identity. This approach reduces incidents of unauthorized access by allowing the data controllers to set access levels for users. Find out more.
Your key and files are encrypted on your device before they are ever sent to, or stored with us. We can’t even access your key or files.
May 20, 2015