Web hosting provider and Internet domain registrar Hostinger International, Ltd. has disclosed that an unauthorized third party breached its internal system API last Friday and gained access to data belonging to roughly 14 million users.

In a blog post announcement yesterday, the company said that on Aug. 23 it received an alert that someone had accessed one of its servers. “This server contained an authorization token, which was used to obtain further access and escalate privileges to our system RESTful API Server,” the company stated. “This API Server is used to query the details about our clients and their accounts.”

In addition to hashed passwords, affected information included usernames, emails, first names and IP addresses. Financial data was not affected because Hostinger outsources financial transactions to third-party payment providers. Hostinger Client accounts and data stored on those accounts were also apparently spared.

Even though the passwords were hashed, Hostinger still reset all of its clients’ login passwords. The company also said that it has been engaged with law enforcement, hardened server and network settings and “restricted the vulnerable system” such that “access is no longer available.”