The Hostinger breach shows the value of dual-factor authentication
The password theft associated with the recent Hostinger breach is a call for service providers to protect users from payment fraud.
With the usernames, SHA-1 hashed passwords, email addresses, names, and IP addresses of over 14 million Hostinger customers now exposed, customers of Hostinger must immediately change their passwords along with any other accounts using the same password.
For service providers wishing to avoid sophisticated attacks that reuse the data from this breach, two-factor authentication can be combined with other security layers such as passive biometrics and behavioral analytics, so that if one layer fails, another layer of security takes over, protecting the customers' accounts even if the credentials have been stolen.
While two-factor authentication capabilities can help verify the user, behavioral analytics and passive biometrics allow you to learn and trust the user’s behavior both at login and across the session.
This way you put the trust on the human instead of the device. With passive biometrics, customers are identified by their behavior online and not by static data such as passwords or one-time codes. This inherent behavior cannot be duplicated by hackers, even if they use correct static data, devaluing stolen credentials and protecting the customer account.
Customers must also consider whether their accounts were fraudulently accessed on Hostinger and other locations online. The migration from a SHA-1 hashing scheme to SHA-256 will greatly improve the security of consumers’ passwords stored by Hostinger. In addition to the move to SHA-256 it’s important that the password is salted with unique information prior to being hashed to improve the security of the hash further.
Customers interested in mitigating the impact of the breach to their accounts must use unique and complex passwords with multi-factor authentication where available. Once a user's login credentials are compromised, you must consider them compromised for every service provider where you reused the username and password combination.