Hetzner Phishing Alert: Emails Stealing Logins and Credit Card Data—How to Spot Them, Lock Down Accounts, and Protect Your Organization

On July 5, 2024 (06:00 UTC), hosting provider Hetzner published a blunt warning on its status page: phishing emails are circulating “in the name of Hetzner,” and they’re aiming for the two things criminals never get tired of monetizing—account logins and credit card details. The incident post is still listed as Status: Identified, and Hetzner’s guidance is refreshingly direct: don’t click, delete suspicious messages, and if you entered credentials, change your password immediately and enable 2FA. The original status update does not list an individual author; it appears as a Hetzner status communication from Hetzner Online GmbH.

This article expands that short but important warning into a practical playbook: what the scam looks like, why it works, how to respond if you (or a colleague) clicked, and how to build defenses that don’t rely on everyone having an infallible “phish detector” installed in their brain.

And yes: we’ll talk about credit cards, because criminals love mixing credential theft with payment fraud. It’s the cybersecurity equivalent of a combo meal—unfortunately, you’re the one paying.

What Hetzner reported (and why it matters)

Hetzner’s status advisory describes phishing emails that create urgency (“last reminder,” “urgent,” “your contract will end soon”), use fake sender names (like “HETZNER” or “HetznerSupportTeam”), and include links that look legitimate but lead to fake login pages designed to capture Hetzner usernames/passwords and sometimes credit card details. Hetzner explicitly notes one easy validation step: the sender address is suspicious if it does not end with @hetzner.com. The post also points users to the official login page at accounts.hetzner.com, recommends enabling two-factor authentication, and asks customers not to call phone support about phishing—email support instead. It also links to Hetzner’s ongoing phishing email collection and its 2FA documentation.

This is not just “another phishing wave.” Hetzner customers often have access to valuable infrastructure: domains, DNS settings, cloud servers, backups, and billing accounts. That makes a Hetzner login a high-leverage target. One compromised hosting account can be used to spin up new phishing infrastructure, host malware, exfiltrate customer data, pivot into production workloads, or change DNS records for a stealthy takeover of email and websites.

Why phishing still works in 2026: it’s industrial, not artisanal

We’re long past the era where most phishing emails were written by someone with a shaky grasp of English and an enthusiasm for “kindly do the needful.” Modern phishing is increasingly a product. It’s “phishing-as-a-service” (PhaaS): templates, kits, hosting, analytics, traffic filtering, and customer support (for criminals, naturally).

Microsoft’s Digital Crimes Unit, for instance, described RaccoonO365 as a subscription-based phishing kit operation used to steal Microsoft 365 credentials at global scale, with infrastructure seizures in 2025 involving hundreds of malicious sites. It’s a useful parallel: the same productization pressures apply whether criminals impersonate Microsoft or Hetzner. The point is not the brand—it’s the workflow: impersonate a trusted service, generate urgency, push the victim to a lookalike login page, harvest credentials, and monetize access. citeturn3search0

Phishing also remains one of the most common cybercrime complaints. The FBI’s IC3 noted phishing/spoofing schemes had more than 298,000 complaints reported in 2023—an astonishing volume that underlines how frequently the “simple” stuff still lands. citeturn2search0

How the Hetzner impersonation scam typically plays out

Hetzner’s alert highlights three major patterns. Let’s translate them into the attacker’s playbook.

1) Urgency and consequences

Attackers want you to act before you think. Common themes include:

• “Your contract will end soon”
• “Urgent: renew your domain or it will be locked”
• “Last reminder: accept new data protection policies”

These topics are effective because they tie to real operational fears: downtime, domain loss, account suspension, compliance issues, billing problems. And if you run production workloads on Hetzner, “downtime” isn’t an abstract concept—it’s a pager.

2) Sender spoofing and lookalike identities

Hetzner specifically calls out fake sender names and notes a key check: if the email address does not end in @hetzner.com, treat it as suspicious. citeturn1search2

However, it’s worth adding a nuance: a display name can say “Hetzner Billing Team” while the actual address is something unrelated. Some attackers also use lookalike domains (for example, swapping letters, adding hyphens, or using different TLDs). That’s why domain-based email authentication matters (we’ll get to DMARC later).

3) Links that “look real” and lead to credential harvesting

The scam link may visually resemble a Hetzner URL. But the actual destination can be anything: a lookalike domain, a compromised website, or a short link redirecting to a phishing kit landing page. The fake page is designed to mimic Hetzner’s login flow and sometimes prompts for payment details to “verify” or “update” billing. citeturn1search2

If you’re thinking: “But we have 2FA, so even if someone steals a password we’re fine,” that’s an excellent instinct—but it’s not a guarantee. Some modern phishing kits attempt to capture session tokens/cookies or trick victims into handing over one-time codes. The security industry has spent the last few years learning the hard way that not all MFA is phish-resistant MFA.

First-response checklist: what to do if you received (or clicked) a suspicious email

Hetzner’s instructions are clear: don’t open suspicious messages, don’t click links, delete the email, and if you entered credentials, change your password immediately and enable 2FA. citeturn1search2

Here’s a more expanded incident-response checklist you can apply in a business context (or as a very organized individual):

If you only received the email (no click)

• Do not click anything, including “unsubscribe” links.
• Verify independently: open a fresh browser tab and go directly to accounts.hetzner.com (typed or from a known bookmark), not from the email. citeturn1search2
• Report the email internally (security team or IT) and follow company procedure for suspicious messages.
• Forward/report to Hetzner if you’re a customer and can share headers safely; Hetzner’s docs recommend forwarding suspicious emails with headers/text so they can check the message. citeturn1search0

If you clicked the link but did not enter credentials

• Assume the site fingerprinted your browser (user agent, IP, maybe more).
• Run an endpoint scan (especially if anything was downloaded).
• Change your Hetzner password anyway if you’re not 100% sure you didn’t type something in a field.
• Enable 2FA if not already enabled. citeturn1search3

If you entered your Hetzner username/password

• Immediately change your password via the legitimate Hetzner Accounts page: accounts.hetzner.com. citeturn1search2
• Enable 2FA in Hetzner Accounts (Settings → Two-factor authentication), following Hetzner’s guide. citeturn1search3
• Review account activity: check billing settings, API tokens, SSH keys, new users, and any changes to contact emails or password reset settings.
• Invalidate sessions/tokens where possible (some platforms allow “log out all sessions”).
• Alert your team if shared access or organization billing is involved.

If you entered credit card details

• Contact your bank/card issuer immediately and explain you provided card details to a fraudulent page.
• Monitor transactions closely, enable card alerts, and consider a new card number.
• Check if the same password is used elsewhere—criminals often pair payment fraud with credential stuffing on other services.

Hardening your Hetzner account: 2FA is table stakes, but do it properly

Hetzner strongly recommends enabling two-factor authentication for Hetzner Accounts and provides a step-by-step guide. citeturn1search2turn1search3

From Hetzner’s documentation, the process is: log in, go to Settings → Two-factor authentication, enable 2FA, store the recovery key safely (Hetzner warns replacement may require manual review and even postal mail), then set up your chosen authentication method. citeturn1search3

Choose the strongest 2FA option you can support

In an ideal world, you use phish-resistant MFA (such as security keys based on FIDO2/WebAuthn). Hetzner’s documentation also discusses configuring a YubiKey OTP approach, with references to Yubico resources. citeturn1search3

Even if your platform uses app-based TOTP (one-time codes), it’s still dramatically better than password-only. But remember: phishing kits may attempt to capture OTP codes in real time. This is one reason security keys are so valuable for high-impact accounts like hosting providers.

Don’t treat recovery keys like “optional accessories”

Recovery keys are frequently the difference between “minor incident” and “weekend ruined.” Hetzner notes that losing the recovery key can require a replacement process that involves verification steps; this is good for security, but it also means you should store recovery material securely and redundantly. citeturn1search3

Email security controls: what organizations should implement (beyond telling humans to be careful)

Security awareness is necessary, but it’s not sufficient. Verizon’s DBIR continues to highlight that the “human element” remains involved in a majority of breaches, and social engineering persists at scale. citeturn2search1

So let’s make the humans’ job easier by building guardrails.

1) DMARC, SPF, and DKIM: make impersonation harder

Domain-based authentication helps receiving mail systems assess whether an email claiming to be from a domain is legitimate. Proper SPF/DKIM alignment and a strict DMARC policy (eventually moving toward quarantine/reject) can reduce successful spoofing of your own domain.

It won’t stop attackers from using lookalike domains, but it does reduce the “free wins” criminals get by sending unauthenticated mail as if it came from you.

2) Inbound link scanning and rewriting (carefully)

Secure email gateways and cloud email security tools can rewrite and scan links. This helps catch obvious malicious destinations. The catch: modern phishing kits often use cloaking, only showing malicious content to “real” browsers and hiding it from scanners. That’s why you also want URL detonation in realistic environments, plus brand impersonation detection and domain age heuristics.

3) Block newly registered domains and suspicious TLDs (with exceptions)

Many phishing campaigns use recently registered domains. Blocking or flagging mail that contains links to domains registered in the last X days (commonly 7–30) can reduce exposure. You’ll want exception handling, because legitimate new domains do exist (especially in marketing campaigns), but in infrastructure operations, “new domain” is often a smell.

4) Enforce password managers and unique passwords

Hetzner’s phishing guidance recommends unique passwords for each service and suggests using a password manager. citeturn1search0

Password managers help in two underrated ways:

• They generate unique, strong passwords (reducing credential stuffing fallout).
• They often refuse to autofill credentials on lookalike domains (a subtle but powerful phishing tripwire).

5) Require MFA for email and hosting accounts—and prioritize security keys for admins

If a Hetzner phishing email lands in an inbox, that inbox may already be a target. Email account compromise is frequently the stepping stone to resets, invoices, and social engineering that bypasses technical controls. So require MFA for email first, then for infrastructure accounts, then for everything else. Not glamorous, but effective.

Why hosting accounts are especially attractive: the “infrastructure pivot” problem

Attackers don’t always stop at one stolen password. A hosting provider account can be a platform for:

• DNS hijacking (redirecting web traffic or email to attacker-controlled systems)
• Credential harvesting at scale (spinning up new phishing sites quickly)
• Malware staging (hosting payloads or command-and-control infrastructure)
• Invoice fraud (changing billing details, adding payment methods, or exploiting stored payment data)

In other words: a compromised Hetzner account can turn into a compromise of your customers, not just you. That’s why the mundane steps—2FA, password changes, sender verification—matter.

A practical “spot the phish” checklist tailored to Hetzner impersonation

Here’s a checklist you can paste into an internal wiki or runbook.

• Sender domain: does it end in @hetzner.com? If not, assume malicious. citeturn1search2
• Urgency language: “last reminder,” “urgent,” “account locked,” “contract ending.” citeturn1search2
• Link destination: hover to inspect; does it really go to accounts.hetzner.com or another official Hetzner domain?
• Unexpected payment prompts: does it ask for credit card details to “verify” or “avoid suspension”?
• Grammar and formatting anomalies: not always present, but still common across phishing campaigns.
• Mismatch between display text and actual URL: classic phishing tell.

Hetzner’s own phishing email collection also lists common signs like altered sender addresses, mismatched links, artificial urgency, unexpected attachments, and poor grammar—plus recommends forwarding suspicious emails (with headers) to support. citeturn1search0

What to tell your finance team (because credit cards are in play)

In many organizations, the people who manage hosting accounts are not the same people who handle credit cards. That’s a coordination gap attackers love.

If your team receives Hetzner-themed emails requesting payment verification or billing updates:

• Centralize billing changes (one process, one channel, one approval path).
• Use virtual cards or spend controls where possible (limits reduce blast radius).
• Require out-of-band verification for any billing change request received via email.
• Monitor for low-value “test charges”—fraudsters often verify card validity with small transactions before going bigger.

Reporting: who to contact and what to include

Hetzner’s status incident asks users not to call telephone support about phishing, but to write to support@hetzner.com. citeturn1search2

Hetzner’s documentation recommends forwarding suspicious emails (ideally including complete headers and text) to their support team or reporting via their interfaces (depending on account tooling). citeturn1search0

If the phishing involves infrastructure hosted on Hetzner (for example, a phishing site running on Hetzner-hosted servers), the appropriate channel is typically an abuse mailbox rather than customer support. Publicly available RIPE WHOIS data and multiple reporting directories list Hetzner abuse contacts such as abuse@hetzner.com. (Use support@hetzner.com for customer phishing assistance; use abuse channels for malicious hosting reports.) citeturn1search4

Industry context: the numbers behind the annoyance

It’s easy to treat phishing as background noise—until it isn’t. The reality is that phishing remains one of the most reported cybercrime categories, and it’s often the entry point to account takeover and fraud.

• The FBI IC3 reported more than 298,000 phishing/spoofing complaints in 2023. citeturn2search0
• Verizon’s 2024 DBIR highlighted the continuing role of the human element and noted that user reporting in simulations is improving—but still leaves plenty of room for attackers to succeed. citeturn2search1
• ENISA’s Threat Landscape 2025 highlights list phishing among the leading intrusion access points in reported incidents. citeturn2search4

So when Hetzner publishes a “general” warning about phishing, it’s not a minor footnote. It’s a reminder that attackers are targeting the connective tissue of the internet: accounts that control servers, domains, and payment methods.

Case study style scenario: how a single Hetzner phish can become a multi-incident mess

Let’s walk through a realistic (and depressingly common) chain reaction:

• Day 0: Developer receives “urgent domain renewal” email, clicks, and enters Hetzner credentials.
• Day 0 + 10 minutes: Attacker logs in, creates a new API token or adds an SSH key, ensuring persistence.
• Day 0 + 30 minutes: Attacker spins up a new VM to host phishing pages targeting your customers (or to run scanning tools).
• Day 1: DNS settings are modified (or invoice emails redirected) to stage further fraud.
• Day 2: Your security team finds the new VM via cost anomaly or abuse report; incident response begins.

Notice the “blast radius”: it’s not only your hosting account. It can become reputational damage, customer harm, and a compliance headache. The good news is that this chain is also highly interruptible—password reset + 2FA + review of tokens/keys and billing settings can break it quickly when done fast.

Recommendations for Hetzner customers: a short hardening runbook

• Enable 2FA on Hetzner Accounts (do it today, not after the next scary email). citeturn1search3
• Use a password manager and unique passwords per service. citeturn1search0
• Review who has admin access to Hetzner and remove old accounts.
• Prefer least-privilege access for billing vs server management where possible.
• Set up alerts for billing changes and unusual spend.
• Educate the team with real examples—Hetzner’s phishing email collection is made for that. citeturn1search0

What I’d like to see next (and what you can do meanwhile)

Hetzner’s status post is useful, but the bigger fight against phishing is ecosystem-wide. Industry trends point toward more sophisticated kits, more automation, and better evasion. Microsoft’s takedown of large phishing-kit infrastructure shows that disruption is possible—but also that criminal tooling has matured into a subscription economy. citeturn3search0

In practice, that means: we should assume phishing will keep happening, and we should build systems that fail safely. Phish-resistant MFA for critical accounts, better email authentication, and tighter controls around billing and admin actions won’t eliminate risk—but they dramatically reduce the odds that one click becomes a six-figure incident.

Sources

• Hetzner Status: “Phishing emails stealing logins and credit card data” (original RSS link/source; Hetzner Online GmbH)
• Hetzner Docs: Phishing email collection
• Hetzner Docs: Two-factor authentication
• FBI: IC3 2023 annual report release (phishing/spoofing complaint volume)
• Verizon: 2024 Data Breach Investigations Report news release
• ENISA: Threat Landscape 2025 highlights
• Microsoft: Disruption of RaccoonO365 phishing service

Bas Dorland, Technology Journalist & Founder of dorland.org