Hetzner Warns of Phishing Emails Stealing Logins and Credit Card Data: What’s Happening, Why It Works, and How to Protect Your Cloud Accounts

AI generated image for Hetzner Warns of Phishing Emails Stealing Logins and Credit Card Data: What’s Happening, Why It Works, and How to Protect Your Cloud Accounts

Hetzner has issued a clear warning: phishing emails are currently circulating in its name, attempting to steal customer logins and even credit card data. The incident was marked as “Identified” on Hetzner’s status platform and dates back to July 5, 2024 (06:00 UTC). In plain English: attackers are sending convincing messages that try to rush you into clicking a link, landing on a fake Hetzner login page, and handing over the keys to your account—and sometimes your payment details too.

This article expands on Hetzner’s advisory, adds industry context on why phishing is still thriving (even in a post-“everyone has MFA now” world), and provides practical steps for individuals and organizations running infrastructure on Hetzner (or any provider, really). I’ll also point out where the original warning lives, who published it, and how to use Hetzner’s own documentation to build a sturdier defense.

Original RSS source: Hetzner Online Status incident page, “Phishing emails stealing logins and credit card data,” published by Hetzner Online GmbH on its status site: status.hetzner.com/incident/2e715748-fddd-427b-a07b-b34a5a9edee3. citeturn0view0

What Hetzner actually said (and what matters most)

Hetzner’s status incident page describes phishing emails “in the name of Hetzner” and gives the classic tells: urgency-heavy subjects, fake sender names, and links that look legitimate but lead to a fake Hetzner login page. The goal is straightforward: steal credentials and potentially credit card information. citeturn0view0

Two details are especially important:

  • Sender domain check: Hetzner specifically advises that legitimate Hetzner emails should come from addresses ending in @hetzner.com. citeturn0view0

  • Immediate response guidance: If you entered credentials on a fake site, Hetzner tells customers to change their password immediately at accounts.hetzner.com and to enable two-factor authentication (2FA). citeturn0view0turn1search2

Hetzner also asks customers not to call phone support for phishing issues and instead to email support@hetzner.com. citeturn0view0

Why this phishing wave is more than “just spam”

We all like to pretend phishing is a solved problem—something your email filter eats for breakfast while you sip your coffee. The data says otherwise.

The FBI’s Internet Crime Complaint Center (IC3) reported that in 2024 it received 859,532 complaints and recorded reported losses exceeding $16 billion (a 33% increase from 2023). In that same report, phishing/spoofing was one of the top categories by complaint volume (along with extortion and personal data breaches). citeturn3view1

So when a major hosting provider warns about credential theft, it’s not a niche IT problem. It’s part of a high-volume fraud economy that has become brutally efficient.

Cloud provider accounts are particularly valuable

Stealing a Hetzner account login isn’t only about your server bill. Access to a hosting account can mean:

  • Spinning up infrastructure for additional phishing sites
  • Launching malware command-and-control nodes
  • Exfiltrating data from hosted apps and databases
  • Hijacking domains or DNS records to redirect traffic
  • Capturing stored payment methods or invoices to support further fraud

In other words: if attackers can get into your account at the provider level, they often don’t need to break into each server individually. They just manage the whole environment from the control panel like they own the place.

How these Hetzner-themed phishing emails typically look

Hetzner’s warning includes a recognizable pattern: a strong “do this now” message that pressures you into acting before thinking. Example subject lines on the incident page include “Last reminder,” “Urgent,” and “Your contract will end soon.” citeturn0view0

That urgency isn’t accidental; it is the core psychological mechanism. Attackers want you to do what IT people do all day: click through a prompt quickly because something sounds like it might break. Phishing doesn’t beat security teams by being clever—it beats busy humans by being fast.

Key indicators (including the boring ones you should actually use)

  • Sender mismatch: The display name may read “Hetzner Online GmbH,” but the actual email address does not end in @hetzner.com. citeturn0view0

  • Link deception: The visible link text looks plausible, but the destination domain isn’t Hetzner.
  • Account pressure: Threats of suspension, domain lock, or contract termination, paired with a “confirm now” button. citeturn0view0

  • Payment hooks: “Update billing details” or “payment failed” prompts. These are particularly effective because they map to real workflows.

Hetzner also maintains a phishing email collection in its documentation—essentially a gallery of known examples and patterns—plus practical advice like hovering over links and forwarding suspicious emails with full headers. citeturn3view0

Why phishing still works when everyone “has 2FA”

Phishing used to be about stealing a password. Then everyone deployed multi-factor authentication (MFA/2FA), and we all declared victory. Attackers responded with what can best be described as: “That’s cute.”

The rise of adversary-in-the-middle (AiTM) phishing

Modern phishing kits increasingly use reverse proxy techniques (often called adversary-in-the-middle phishing). The fake site acts as a proxy to the real login page; the victim sees a real-looking page, enters credentials and sometimes MFA codes, and the attacker captures session tokens/cookies in real time. Okta describes this as a common pattern in high-volume attacks, recommending phishing-resistant authenticators like WebAuthn/FIDO2 where possible. citeturn4search2

Security analysis of services like EvilProxy explains how reverse-proxy phishing can harvest session cookies and effectively bypass MFA in some scenarios. citeturn4search1

“Phishing-as-a-Service” makes it scalable

Phishing operations are no longer handcrafted, one-off scams. They’re subscription services. In early March 2026, Microsoft described coordinated action with Europol and partners to disrupt “Tycoon 2FA,” a phishing-as-a-service operation associated with tens of millions of fraudulent emails and designed to defeat multifactor authentication. Microsoft said it seized 330 domains forming the service’s core infrastructure. citeturn4search0

The broader takeaway isn’t “good, the bad guys lost.” It’s that the bad guys had an industrial platform in the first place, and they will rebuild because the business model works.

So what should Hetzner customers do right now?

If you run anything meaningful on Hetzner—production workloads, side projects, client infrastructure, even a hobby server you love more than most people—you should treat this as a prompt to harden your account. That does not mean living in fear. It means implementing a few high-impact changes that make phishing less profitable.

1) Don’t click: go direct to Hetzner Accounts

If you receive a “billing issue” or “policy update” email, do not use the embedded link. Instead, open a new browser tab and go directly to the official Hetzner accounts portal: accounts.hetzner.com. Hetzner explicitly points users there for password changes after suspected phishing. citeturn0view0

2) Enable 2FA on your Hetzner account (and store recovery keys properly)

Hetzner strongly recommends enabling 2FA, and its documentation provides a step-by-step guide. It also emphasizes recovery keys and the implications of losing them (including recovery via regular mail in some cases). citeturn1search2

Security note: 2FA is not magic, but it is still one of the highest return-on-effort defenses for most users, especially against basic credential stuffing and simple credential phishing.

3) Use unique passwords and a password manager

Hetzner’s phishing guidance explicitly recommends using a separate, strong password for each service and using a password manager to generate and manage secure, unique passwords. citeturn3view0

If an attacker steals your Hetzner password and you reused it elsewhere, your incident just became a portfolio problem. Attackers will try the same credentials on email, GitHub, Stripe, PayPal, and anything else that pays rent.

4) Forward suspicious emails with full headers (don’t just screenshot them)

Hetzner’s docs note that you should forward suspicious emails to their support team (or report via their console) and, if possible, include complete email headers and text to help them analyze the message. citeturn3view0

Headers matter because that’s where routing and authentication clues live (SPF/DKIM/DMARC results, sending IPs, and the “Received” chain). Screenshots are aesthetically pleasing but technically starving.

If you already clicked or entered data: a damage-control checklist

Mistakes happen. The important part is moving quickly and methodically.

Step A: Change your Hetzner password immediately

Do it from a trusted link (type it in yourself): accounts.hetzner.com. Hetzner explicitly instructs password changes if you entered credentials on a suspicious site. citeturn0view0

Step B: Enable 2FA if it wasn’t enabled

Follow Hetzner’s 2FA setup guide and store your recovery key safely. citeturn1search2

Step C: Audit your account for changes

  • Check for new users, API tokens, or SSH keys added to projects
  • Review active sessions (if available)
  • Check billing changes: payment methods, invoices, and contact details
  • Look for newly created cloud resources you didn’t create

This is where a lot of post-phish compromises get missed: attackers often add persistence (new keys/tokens) so they can come back after you change a password.

Step D: Talk to your bank/card issuer if you entered payment data

If the phishing page captured card details, treat it like a compromised card: contact your issuer, monitor transactions, and follow their fraud process. Hetzner’s warning explicitly states the phish may request credit card details. citeturn0view0

Step E: Report the incident to the right places

For US readers, the FBI recommends reporting internet crimes via ic3.gov and notifying financial institutions if money movement is involved. citeturn3view1

If you’re reporting hosted phishing content, Hetzner also provides an abuse reporting channel via its abuse form, referenced in its Digital Services Act information page. citeturn3view3

Security hygiene for teams: make phishing boring again

If you manage Hetzner infrastructure for an organization, the phish is not “an end-user issue.” It’s a governance issue. A single compromised admin account can cascade into incident response, downtime, data exposure, and reputational damage. Here’s how to reduce blast radius.

Use least privilege and role separation

Don’t give everyone full administrative access “because it’s easier.” It is easier—until it isn’t. Create a structure where billing, provisioning, and production operations are separated where feasible. If one account gets phished, you want the attacker to hit a locked door quickly.

Require phishing-resistant MFA where possible

CISA has long emphasized the value of MFA as a security control to reduce account compromise when passwords are stolen. citeturn2search4

But as AiTM attacks grow, many organizations are moving toward phishing-resistant methods (e.g., WebAuthn/FIDO2/passkeys) where supported. The FIDO Alliance describes passkeys as phishing-resistant because they use cryptographic key pairs and are designed to prevent credential reuse on lookalike sites. citeturn4search7turn4search16

Practical reality check: not every service supports passkeys today, and some environments still rely on TOTP apps. If you can’t deploy phishing-resistant MFA everywhere, focus it on high-value control planes first: email, identity provider, source control, and cloud hosting consoles.

Train for “workflow phishing,” not just “spot the typo”

Hetzner’s examples mention policy reminders, domain renewal, and contract termination. citeturn0view0 Those are workflow phishing themes—messages that imitate real business processes and hit the exact nerve that makes admins click: “If I don’t do this now, something breaks.”

Tabletop exercises can be simple:

  • What is our policy for billing emails?
  • Who is allowed to update payment methods?
  • What’s the process when an urgent-sounding email arrives?
  • Do we have a separate, known-good bookmark list for admin portals?

Why hosting brands get impersonated (and why Hetzner is a tempting target)

From an attacker’s perspective, hosting providers are a two-for-one deal: you can steal money (via cards) and infrastructure (via console access). Hetzner is also widely used by developers, startups, and small-to-mid-sized businesses—groups that may have excellent engineering skills but uneven operational security processes. That mismatch is fertile ground for social engineering.

And there’s an additional ugly loop: if attackers compromise a hosting account, they can host more phishing pages and scale the operation. Hosting becomes both the target and the tool.

What Hetzner is doing on its side (and what it can’t do)

Hetzner’s advisory is candid and pragmatic: it can warn customers, document examples, recommend 2FA, and provide reporting channels. It also publishes a dedicated phishing email collection with indicators and suggested response actions. citeturn3view0turn0view0

But no provider can fully “patch” phishing, because phishing targets human trust and cross-service identity patterns. Even the best email authentication (SPF/DKIM/DMARC) reduces impersonation but does not eliminate lookalike domains, compromised mailboxes, or attacker-controlled infrastructure. And when the user types credentials into the wrong site, the provider usually learns about it after the fact—often when someone’s invoice starts paying for servers they didn’t order.

A quick technical sidebar: how attackers build convincing fake login pages

Older phishing pages were bad photocopies of the real thing. Modern kits can proxy the legitimate site or use pixel-perfect clones built from scraped HTML/CSS. Some are fully localized, include accessibility features, and even show the correct company logo in high resolution. The point isn’t aesthetics; it’s friction reduction.

Okta’s discussion of AiTM attacks explains the basic model: a malicious reverse proxy sits between the user and the real service, capturing credentials and session artifacts as traffic passes through. citeturn4search2

It’s the cybersecurity version of someone standing behind you at a self-checkout, “helpfully” guiding you through the steps—while quietly taking your receipt, your groceries, and your wallet.

Recommendations you can implement this week (without buying a new appliance)

  • Bookmark critical portals (Hetzner Accounts, cloud consoles, payment portals) and use bookmarks, not email links.
  • Turn on 2FA everywhere and store recovery keys like you store keys to your home: not in the mailbox outside.
  • Standardize reporting: forward suspicious emails with headers; don’t “delete and forget.” Hetzner asks for headers and text when possible. citeturn3view0

  • Monitor billing alerts and unusual resource creation; treat unexpected invoices as a security signal, not just an accounting annoyance.
  • Educate against urgency: teach teams that “urgent account suspension” emails are a reason to slow down, not speed up.

Conclusion: the calm way to respond to a loud phishing email

Hetzner’s warning is not a sign that Hetzner itself was hacked. It’s a reminder that attackers don’t need to breach a provider to compromise customers—they just need to convince customers to hand over access.

The good news is that the defenses are familiar and effective when combined: verify sender domains, avoid clicking email links for account actions, use unique passwords, enable 2FA, and use phishing-resistant authentication where available. Hetzner provides the key starting points—its status advisory, its phishing email collection, and its 2FA documentation—so you can move from “aware” to “protected” without waiting for a crisis. citeturn0view0turn3view0turn1search2

Sources

Bas Dorland, Technology Journalist & Founder of dorland.org