Hetzner Warns of Phishing Emails Stealing Logins and Credit Card Data: What’s Happening, How It Works, and How to Lock Down Your Account

AI generated image for Hetzner Warns of Phishing Emails Stealing Logins and Credit Card Data: What’s Happening, How It Works, and How to Lock Down Your Account

On July 5, 2024, hosting provider Hetzner published a blunt warning on its public status page: phishing emails were circulating “in the name of Hetzner,” aiming to steal customer login credentials and, in some cases, credit card details. The incident is listed as Status: Identified and Affected systems: General, which is status-page speak for “our infrastructure isn’t down, but your inbox might be under attack.” (Original incident post)

The key point: this isn’t a Hetzner platform breach announcement. It’s an impersonation campaign—classic social engineering—where attackers try to lure users to fake login pages and payment forms. Those pages are designed to harvest credentials, payment card data, and anything else a hurried person might type in while thinking “I need to fix this before my server gets locked.”

This article expands on Hetzner’s incident notice and places it in a broader cybersecurity context: why these campaigns keep working, what modern phishing looks like (spoiler: it can look depressingly professional), and what specific steps you can take to protect both personal and organizational Hetzner accounts. We’ll also cover what to do if you already clicked something you shouldn’t have—because if you’re reading this with a sinking feeling in your stomach, you’re not alone.

What Hetzner reported (and what it didn’t)

Hetzner’s status entry describes a wave of phishing emails impersonating Hetzner. The company highlights three recurring characteristics:

  • Artificial urgency (for example, “last reminder,” “urgent renew,” “your contract will end soon”).
  • Fake sender names (like “HETZNER,” “HetznerSupportTeam,” “Hetzner Online GmbH”), often paired with non-Hetzner sender domains.
  • Links that look legitimate but lead to fake Hetzner login pages attempting to steal account credentials and/or credit card data.

Hetzner’s guidance is straightforward: don’t open, don’t click, delete it. If you already entered credentials, change your Hetzner password immediately and enable two-factor authentication (2FA). Hetzner also asks customers not to call phone support about phishing and instead contact support via email. (Hetzner incident notice)

What the notice doesn’t say is equally important for interpreting the situation: it does not claim Hetzner’s own systems were compromised, nor does it indicate customer databases were exfiltrated. Phishing campaigns commonly leverage publicly available brand assets (logos, support phrasing, product names), and they can target customers without any inside access at all. That’s one reason phishing is such a persistent nuisance: it scales nicely for attackers, even when vendors are doing “everything right” on their own infrastructure.

Why hosting-provider phishing is especially dangerous

Phishing campaigns pretending to be a social network are annoying. Phishing campaigns pretending to be your hosting provider are potentially catastrophic.

If an attacker gains access to your hosting account, the blast radius can include:

  • Server takeover: resetting root passwords, injecting SSH keys, creating new cloud instances to mine crypto or host malware.
  • Domain and DNS control: changing DNS records to redirect traffic, intercept email, or stage additional phishing pages.
  • Customer data exposure: if you host applications or databases, attackers may pivot to the assets you run.
  • Billing fraud: charging new services, altering payment details, or harvesting card data for later misuse.
  • Supply chain compromise: if your environment builds or distributes software, compromise can cascade to downstream customers.

That last point is not theoretical. Attackers love to compromise infrastructure providers because it’s the digital equivalent of stealing the keys to a building instead of picking every apartment lock.

Phishing’s bigger context: the numbers keep going up

Hetzner’s warning also lands in the middle of a broader trend: phishing remains one of the most frequently reported cybercrime categories, and losses across online scams continue to rise.

According to the FBI’s Internet Crime Complaint Center (IC3), in 2024 the IC3 received 859,532 complaints with losses totaling $16.6 billion, and the top complaint categories included phishing/spoofing. (FBI release on Internet Crime Report 2024)

The IC3’s 2023 report release similarly lists phishing/spoofing as the most frequently reported crime type, with over 298,000 complaints reported in 2023. (FBI release for 2023 IC3 report)

Those figures help explain why we keep seeing brand-impersonation waves like this one: phishing is not just a “security issue,” it’s a cashflow strategy. Criminal operations iterate subject lines, landing pages, and delivery methods the same way growth teams A/B test onboarding funnels—except with more fraud and less Slack etiquette.

How the Hetzner impersonation scam typically works

Hetzner’s notice outlines the essentials. Let’s expand the typical flow, because seeing the full playbook helps you recognize variants.

Step 1: A credible pretext + a ticking clock

Attackers frequently use administrative themes that sound plausible for hosting customers:

  • “Accept updated data protection policies”
  • “Domain renewal failed”
  • “Your contract will be locked / suspended”
  • “Payment method needs verification”

The urgency is intentional: phishing works best when it bypasses careful thinking. If the message pushes you into a “fix it now” mindset, it’s doing its job.

Step 2: Sender name tricks and lookalike domains

Most people glance at the display name (“Hetzner Support”) and stop there. Attackers rely on this. Hetzner specifically notes that legitimate messages should come from addresses ending in @hetzner.com. (Hetzner incident notice)

In real campaigns, lookalike domains may involve:

  • Typos (“hetzner-support.com”)
  • Extra words (“hetzner-billing.example”)
  • Different TLDs (“hetzner.net” instead of “hetzner.com”)
  • Punycode/IDN homographs (domains that look right but aren’t)

Hetzner’s documentation on phishing also calls out typical signs like altered sender addresses, spelling mistakes, shortened links, and unusual salutations. (Hetzner “Phishing email collection” doc)

Step 3: A “legit-looking” link that lands on a fake login page

The middle of the funnel is a fake login page. These pages increasingly use real CSS copied from the target brand, and the URL might include reassuring words like “accounts,” “login,” “security,” or “invoice.”

Sometimes the page asks only for username and password. In higher-effort campaigns, it continues with:

  • “Verify payment method” steps
  • Credit card number + expiry + CVV prompts
  • Sometimes even a 2FA prompt to capture one-time codes (often via real-time relay)

This is why “I use 2FA so I’m safe” is only half true. Some forms of MFA can still be phished (especially one-time codes you manually type in). Stronger approaches exist (we’ll get there).

Step 4: Monetization (account abuse, billing abuse, and onward attacks)

Once attackers have access, typical outcomes include:

  • Spinning up servers for spam, malware hosting, crypto mining, or botnet infrastructure
  • Accessing backups or snapshots (if available) for data theft
  • Pivoting into other services via password reuse
  • Card-not-present fraud if payment data was harvested

That’s the incentive structure. Your credentials are valuable not because you’re famous, but because your infrastructure is useful.

Hetzner’s recommended actions (and why they matter)

Hetzner recommends three practical steps that are worth repeating with some added context.

1) Change your password immediately if you entered it on a suspicious site

Hetzner directs users to change their password via its accounts portal. (Hetzner incident notice)

From a security perspective, the critical nuance is: change it from a clean device (or at least a device you trust), and make sure the new password is unique and stored in a password manager. If you reused that password elsewhere (email, Git hosting, WordPress admin…), assume those accounts are now in danger too.

2) Enable two-factor authentication (2FA)

Hetzner explicitly recommends enabling 2FA for Hetzner accounts. (Hetzner incident notice)

Even basic MFA drastically improves security posture. Microsoft has stated that more than 99.9% of compromised accounts don’t have MFA enabled. (Microsoft Learn: MFA statistics)

That doesn’t mean MFA is magic; it means password-only accounts are the low-hanging fruit of the internet, and attackers are very good at harvesting low-hanging fruit.

3) Don’t “support-desk” yourself into a worse situation

Hetzner asks users not to call phone support regarding phishing but to contact via email. (Hetzner incident notice)

This is partly pragmatic (high call volume), but it’s also a security control: social engineering often escalates through phone channels. Attackers may impersonate support agents. Keeping communication in documented, written channels reduces risk and improves traceability.

How to verify a Hetzner email without clicking anything

“Don’t click links” is good advice, but people still need to do business. Here’s a safer workflow when you receive something that appears to be from Hetzner.

Use the “known good path” rule

Instead of clicking a link in an email:

  • Open a new browser tab.
  • Type the address you already know (or use a trusted bookmark) for the Hetzner accounts portal.
  • Log in there and look for notifications, invoices, policy prompts, or service alerts.

If there’s a real problem (billing issue, policy acceptance), it should appear in the control panel. If it doesn’t, the email probably wants you somewhere else.

Check the sender domain and authentication indicators

Even if the display name looks right, the domain might not. Hetzner’s warning emphasizes that messages not ending with @hetzner.com are suspicious. (Hetzner incident notice)

If you’re an admin with access to email headers, review:

  • SPF alignment
  • DKIM signature validity
  • DMARC policy results

These aren’t perfect, but for common brand spoofing they provide strong signals.

Hover, don’t click

Hetzner’s own phishing guidance recommends hovering over links to see the destination without clicking. (Hetzner phishing guidance)

This is still relevant in 2026. Yes, phishing kits evolve. No, humans have not evolved since 2024. Hovering remains one of the easiest sanity checks available.

If you already clicked: an incident-response checklist

Let’s assume worst case: you clicked and entered credentials, maybe even payment details. Here’s what to do, in a practical order.

1) Change your Hetzner password immediately

Do it from a device you trust. If you’re worried your machine is compromised, use a different device (or boot from a clean environment) for the password change.

2) Enable 2FA (and prefer phishing-resistant methods where possible)

Enable Hetzner account 2FA as soon as possible. (Hetzner incident notice)

In general security guidance, the strongest protection against phishing is phishing-resistant authentication, such as FIDO2/WebAuthn security keys. NIST’s digital identity guidance explicitly distinguishes phishing-resistant methods and notes that OTP-based methods (manual code entry) are not considered phishing-resistant. (NIST SP 800-63B)

In other words: if your MFA requires you to type a code into a webpage, a sufficiently well-designed phishing page can still ask you for that code.

3) Review account activity, access keys, and billing

After you regain control, review:

  • Recent logins (if the platform provides logs)
  • API tokens / access keys
  • SSH keys on servers and in your account
  • New instances or services provisioned
  • Billing changes, invoices, payment methods

Attackers often create persistence. Changing a password is essential but not always sufficient if tokens or keys were created during the compromise window.

4) If you provided card data, contact your bank/card issuer

This is not fun, but it’s faster than arguing with fraudulent charges after they post. Ask about:

  • Freezing the card or issuing a replacement
  • Placing fraud alerts
  • Monitoring for card-not-present transactions

5) Report the phishing attempt

Hetzner maintains a documentation page with phishing examples and suggests forwarding suspicious emails (including headers) for analysis. (Hetzner phishing email collection)

In the United States, you can also report phishing and related cybercrime to the FBI’s IC3. (IC3)

Why “just train users” isn’t enough anymore

Security awareness training matters, but modern phishing doesn’t rely solely on typos and Nigerian princes. Many campaigns are:

  • Localized (correct language, correct timezone references)
  • Brand-accurate (logos, templates, matching tone)
  • Context-aware (referencing domains you own or services you actually use)
  • Timed (sent during renewals, billing cycles, holidays, weekends)

Also, defenders have a scaling problem: attackers only need a small percentage of victims to click. You need a near-perfect success rate to prevent compromise.

This is why the industry is moving toward a layered approach—email authentication, filtering, link rewriting, browser isolation in high-risk environments, and most importantly phishing-resistant MFA.

Phishing-resistant MFA: what it is (and why NIST cares)

NIST’s SP 800-63B guidance (updated as part of the 800-63-4 revision) explicitly discusses phishing resistance. It notes that phishing resistance is meant to prevent disclosure of authentication secrets to an impostor verifier without relying on user vigilance, and that WebAuthn/FIDO2 is an example providing phishing resistance via binding to the authenticated domain name. (NIST SP 800-63B)

Meanwhile, Google’s security research has shown strong effectiveness gains from adding additional verification factors; for example, Google reported that adding a recovery phone can block up to 100% of automated bots, 99% of bulk phishing, and 66% of targeted attacks in one study. (Google Security Blog, May 2019)

And Microsoft’s MFA statistic—more than 99.9% of compromised accounts lacking MFA—acts as a practical reminder: attackers go where the resistance is lowest. (Microsoft Learn)

For hosting accounts specifically, phishing-resistant options reduce the risk that a fake login page can successfully capture usable authentication material.

What Hetzner customers (and IT teams) should do next

There’s the personal checklist, and then there’s the “we run production workloads” checklist. If you’re in the second camp, here are pragmatic controls to consider.

Enforce MFA and prefer phishing-resistant authenticators

If you manage accounts centrally, require MFA on all administrative identities and encourage FIDO2/WebAuthn where available.

Separate admin identities from day-to-day accounts

Create dedicated admin accounts used only for administration. Keep them out of email threads and away from everyday browsing. Fewer exposures, fewer chances to be phished.

Reduce reliance on email links for critical workflows

Train teams to use “known good paths” (bookmarks, typed URLs, password manager autofill checks). If your password manager refuses to autofill on a page, that’s often a sign you’re not on the right domain.

Monitor for unexpected infrastructure changes

Even if you don’t have perfect audit logs, you can still detect compromise by watching for:

  • New instances created outside business hours
  • Unexpected outbound traffic spikes
  • New SSH keys pushed to servers
  • Changes in firewall rules or security groups

Think of it as “cloud SIEM lite.” You won’t catch everything, but you’ll catch enough to reduce dwell time.

Implement payment and billing guardrails

Use spending alerts and consider dedicated payment methods for infrastructure providers. Even if the attacker fails to take over the hosting account, they might still try to monetize stolen card data.

“But I use 2FA”: the uncomfortable truth about OTP phishing

One-time passwords (TOTP) and SMS codes are far better than passwords alone. But because the user manually enters a code, an attacker can sometimes relay that code in real time to the legitimate service (a classic adversary-in-the-middle approach).

NIST explicitly notes that authenticators requiring manual entry of an authenticator output are not considered phishing-resistant. (NIST SP 800-63B)

That’s why modern guidance increasingly emphasizes phishing-resistant methods (like WebAuthn/FIDO2 security keys and passkeys) for high-risk accounts. For hosting, “high-risk” is basically the default setting.

A brief history lesson: Hetzner has warned about this before

Hetzner has posted phishing advisories on its status page in prior years as well, including earlier incidents about phishing mails stealing (Hetzner) logins. (Hetzner status incident, 2022)

This isn’t unusual. Any well-known provider becomes a brand template for scammers. The success metric for criminals isn’t “did we fool everyone,” it’s “did we fool enough people this week.”

Practical examples of phishing red flags (hosting edition)

Here are a few real-world red flags that show up frequently in hosting-related phishing:

  • Threats that don’t match reality: “We will delete your servers in 30 minutes.” Reputable providers rarely communicate like this.
  • Payment pressure: “Verify your card immediately.” Real billing issues can be verified by logging into the portal directly.
  • Weird sender domains: a “support” email from a marketing domain, a free email provider, or a domain that looks close but not exact.
  • Link mismatch: the anchor text says “hetzner.com” but hover shows something else entirely.
  • Attachments: unexpected PDFs, ZIPs, or “invoice” HTML attachments.

Hetzner’s own phishing documentation emphasizes several of these: altered sender domains, conspicuous links, urgency, and unexpected attachments. (Hetzner phishing guidance)

What vendors can do (and why it’s still hard)

Customers carry much of the burden, but providers do have levers:

  • Brand monitoring: takedowns of lookalike domains and cloned login pages.
  • Abuse response: fast handling for phishing infrastructure hosted on their networks.
  • Security defaults: making MFA easy and strongly recommended (or required) for sensitive actions.
  • User education: keeping public collections of known phishing emails to help recognition.

Hetzner’s “phishing email collection” page is a good example of the education approach, providing examples and advice on how to respond. (Hetzner docs)

Still, phishing is hard to eradicate because it targets the user’s decision-making, not just the provider’s infrastructure. Even perfect server-side security can’t stop someone from typing credentials into the wrong page—unless phishing-resistant authentication is in place.

Bottom line: treat hosting credentials like production SSH keys

Hetzner’s July 2024 status warning is a reminder of something the industry keeps relearning: the most reliable way into a system is often through the human operating it.

If you use Hetzner (or any major hosting provider), consider these the minimum baseline:

  • Use a unique, strong password stored in a password manager.
  • Enable 2FA immediately—prefer phishing-resistant methods when available.
  • Never log in via email links; use typed URLs or trusted bookmarks.
  • Monitor account and infrastructure changes like you would monitor production uptime.
  • Have a “what if we lose the account” recovery plan (backups, off-provider DNS control, documented support paths).

It’s not glamorous. It’s not a new AI model. It’s the cybersecurity equivalent of flossing: boring, necessary, and you only regret skipping it when something starts hurting.

Sources

Bas Dorland, Technology Journalist & Founder of dorland.org