In a blog post today, the company said a hacker gained access to an internal server, where he found an authorization token for an internal API, which he later used to make "API calls affecting information about Clients."
The company said the hacker made API calls against a database storing the personal information of about 14 million customers, such as Hostinger usernames, customers' IP addresses, first and last names, and contact information such as phone numbers, emails, and home addresses.
The database also stored information about user passwords in a hashed format.
As a result, the web hosting provider said it decided to forcibly reset passwords for all impacted accounts, as it discovers affected customers.
At the time of this article's publication, the company did not provide an exact number of impacted users, but password reset emails have started rolling out, with several users reporting receiving them on Twitter.
Hostinger said the hacker(s) did not get their hands on financial data, nor did they compromise customer sites.
The incident was discovered on Friday, August 23. Hostinger has set up a status page where customers can track up to the minute updates regarding this security breach.
The company said the breached server and API have been taken down.
"The reason it is difficult to determine the exact number of Clients because of the type of the breach," Balys Kriksciunas, CEO of Hostinger Group told ZDNet in an email.
"Our central system API server has been compromised and we know the attacker(s) may have crafted calls to extract data directly from the database. We have not recorded such calls, or calls on specific Clients in logs of the API from the attacker(s), but we are taking the worst-case scenario.
"We needed to take quick decisions and we presumed all customers are affected (although we have no logs to prove that customer data has been accessed via compromised API). Following such presumption, we have reset the passwords for all customers that can be accessed via the API server perimeter," Kriksciunas added.
"We cannot disclose more at this stage, since it is a very early stage of an ongoing investigation. We may have different numbers to provide when the investigation elaborates, as we are analyzing our network traffic logs and logs from relevant systems that might suggest the scope of any downloaded information."
Updated at 14:15 ET with additional comments from Hostinger.