Hetzner Warns of Phishing Emails Stealing Logins and Credit Card Data: What’s Happening, Why It Works, and How to Protect Your Cloud Account

On the internet, every week is Shark Week. But some weeks the sharks wear a vendor logo and politely ask you to “urgently accept the new data protection policies.”

Hetzner, one of Europe’s best-known infrastructure providers, has published an incident notice titled “Phishing emails stealing logins and credit card data” warning customers about ongoing email campaigns impersonating the company. According to the Hetzner status incident, the phishing emails are designed to drive victims to fake Hetzner login pages that attempt to steal account credentials and even credit card details. The incident is listed as Status: Identified with a start time of July 5, 2024 at 06:00 UTC. Original incident notice (Hetzner Online Status).

This article expands on that warning for cloud admins, dev teams, finance staff, and anyone with a Hetzner account (including those who only log in twice a year—an endangered species). We’ll cover what Hetzner is reporting, how modern phishing works, what to do if you clicked, and how to reduce risk long-term—without turning your organization into a productivity-themed escape room.

Original RSS source: Hetzner Online Status incident page.
Original author/creator: Hetzner Online GmbH (status update authored/published by Hetzner).

What Hetzner says is happening (and how the scam is designed)

Hetzner’s incident notice is straightforward: there are phishing emails circulating in the name of Hetzner. The messages use a familiar formula:

• Create urgency (“Last reminder…”, “Urgent…”, “Your contract will end soon”).
• Impersonate the sender using display names like “HETZNER” or “HetznerSupportTeam.” Hetzner notes a key tell: the sender email address does not end with @hetzner.com.
• Use links that look real but lead to fake Hetzner login pages, where victims are asked to enter credentials and/or credit card details.

Hetzner also gives immediate action guidance: if you already entered your username/password on a suspicious site, change your password immediately via Hetzner Accounts and enable two-factor authentication (2FA). Hetzner incident notice. Their 2FA documentation lives here: Hetzner Docs: Two-factor authentication.

Why this matters more than “just an email scam”

When a phishing campaign targets a cloud or hosting provider, the blast radius can go from “one person embarrassed” to “entire infrastructure compromised.” If attackers get into your Hetzner account, possible follow-on abuse includes:

• Server takeovers: changing passwords/keys, resetting systems, or attaching new credentials.
• Data access: exfiltration of backups, images, object storage, or customer data depending on what you host.
• Billing abuse: spinning up expensive resources for cryptomining or other “someone else pays” activities.
• Supply-chain style compromise: using your infrastructure as a stepping stone to attack your customers.

It’s also worth noting the psychology: scams that ask for login credentials are common. Scams that ask for credit card details tend to increase urgency and reduce skepticism because the victim mentally shifts from “security task” to “payment task.” It’s the same trick as a fake parking ticket: you’re not thinking about authenticity—you’re thinking about the consequences of not paying.

Phishing is still booming because it works (and the numbers back it up)

Phishing isn’t a new problem, but it has had a very modern glow-up: better templates, better language, better targeting, and more efficient delivery pipelines.

In the U.S., the FBI’s Internet Crime Complaint Center (IC3) consistently reports phishing/spoofing as one of the most common complaint categories. Reports summarizing the FBI’s 2024 Internet Crime Report (released in 2025) cite record losses of about $16.6 billion and list phishing/spoofing as the most common complaint type. Axios summary; HIPAA Journal summary.

The exact methodology varies by organization and report (and many losses go unreported), but the trend is clear: credential theft and social engineering remain the internet’s most reliable business model—unfortunately for the rest of us.

How attackers impersonate a vendor like Hetzner

Most “vendor phishing” looks deceptively boring. That’s part of the strategy. A good phishing email doesn’t need to be technically impressive; it needs to be plausible at a glance.

1) Display-name impersonation and lookalike domains

Hetzner explicitly warns to verify the sender address and look for anything that isn’t @hetzner.com. Hetzner incident notice. Attackers rely on the fact that many mail clients show only a display name on mobile, and many people don’t expand headers unless something already feels off.

Common domain tricks include:

• Adding extra words: hetzner-support.com, hetznerbilling.com
• Typos: hetzner0.com, hetzmer.com
• Subdomain misdirection: hetzner.com.example.com (real domain is example.com)

2) “Links that look real” (the phishing landing page problem)

Hetzner notes that the emails contain links that look legitimate but lead to fake login pages. Hetzner incident notice. This is the core of credential phishing: the attacker’s goal is not to “hack” Hetzner directly but to trick users into giving away the keys.

Modern landing pages often:

• Clone the real login page HTML/CSS.
• Use TLS certificates (so it shows a reassuring padlock).
• Redirect to the real site after capture to reduce suspicion (“maybe I mistyped my password”).

3) Attachment-based variants (less common here, still relevant)

Hetzner’s status post focuses on links, but phishing campaigns often include malicious attachments or password-protected archives to evade scanning. Hetzner’s own phishing guidance lists unexpected attachments (especially executables or password-protected archives) as a typical sign. Hetzner Docs: Phishing email collection.

4) The “hide the real alert” tactic

One nasty pattern in large spam/phish floods is to bury a real security alert—like a password reset, a new login notification, or an invoice—under a pile of junk, hoping the victim misses the one email that actually matters. Even if the Hetzner campaign described is straightforward, it’s good practice to assume attackers may run multiple plays at once.

What to do if you received a suspicious “Hetzner” email

Let’s keep this practical. The right response depends on what happened: did you just receive it, did you click, did you enter credentials, did you enter card info?

Scenario A: You received it but didn’t click anything

• Delete the email (Hetzner explicitly recommends deleting immediately). Hetzner incident notice
• Report it internally (security team / IT) so others are warned.
• Optionally forward to Hetzner support if you’re a customer and want them to analyze it (Hetzner requests phishing-related issues be handled via email, not phone). Hetzner incident notice

Scenario B: You clicked a link but didn’t enter any data

• Assume tracking happened (your click may be logged).
• Don’t “test” the page further. Close it.
• Run endpoint checks if your org has EDR, and scan for browser extensions you didn’t install.
• Consider changing your Hetzner password anyway, especially if you’re not using unique passwords.

Scenario C: You entered your Hetzner username/password

This is the big one. Hetzner’s guidance is explicit: change your Hetzner password immediately at accounts.hetzner.com. Hetzner incident notice.

Do these steps in order:

• Change your Hetzner password immediately from a trusted device/network.
• Enable 2FA in Hetzner Accounts. Hetzner 2FA guide
• Review account activity and settings: look for new users/admins, changed email addresses, new API keys, altered SSH keys, or new billing contacts.
• Rotate credentials downstream: if you used the same password anywhere else (please don’t), change those too. Use a password manager and unique passwords going forward (Hetzner also recommends this). Hetzner phishing guidance

Scenario D: You entered credit card data on a fake page

If you typed payment details into a phishing page, treat it as a payment card compromise:

• Contact your bank/card issuer immediately to cancel the card or place a fraud watch.
• Monitor transactions (attackers may test with small charges first).
• Update Hetzner billing details only through a trusted login path (type the URL yourself, don’t use email links).

It’s not glamorous work, but it’s much better than spending Friday evening explaining to accounting why the company card is funding a “VPS Bulk Purchase Experiment” in someone else’s name.

Hetzner’s own anti-phishing playbook (and why it’s worth bookmarking)

Hetzner maintains a dedicated documentation page called “Phishing email collection” to help users recognize suspicious messages. It lists typical signs such as spelling/grammar issues, altered sender addresses, mismatched links, artificial urgency, unexpected attachments, and generic greetings. It also advises users not to click, to verify sender details, to hover over links, to forward suspicious emails (with headers if possible), and to change passwords/enable 2FA if data was entered. Hetzner Docs: Phishing email collection.

That “hover over links” advice is old-school, but still effective—on desktop. On mobile it’s trickier, which is why organizations should assume phish clicks will happen and focus on limiting the damage with strong authentication and rapid detection.

Hardening your Hetzner account: the non-negotiables

If you manage infrastructure, your Hetzner account should be treated like a production system. Because it is.

1) Turn on 2FA (and store the recovery key properly)

Hetzner provides step-by-step instructions to enable two-factor authentication in Hetzner Accounts. The setup process includes generating a recovery key and warns that if you lose it, replacement may require postal mail verification. Hetzner Docs: Two-factor authentication.

Translation: store the recovery key like it’s an SSH private key that pays invoices. Because it kind of is.

2) Understand email OTP vs 2FA (and why email OTP alone isn’t enough)

Hetzner also describes a Login-OTP mechanism where a 6-digit OTP may be emailed when you log in from a new device or unusual location. Importantly, Hetzner states that when 2FA is enabled, email OTPs are no longer sent because 2FA replaces that process. Hetzner Docs: Login-OTP.

Email OTP can help, but phishing kits increasingly target email accounts too—or attempt to socially engineer OTP codes in real time. 2FA with an authenticator app or hardware key generally raises the bar significantly.

3) Use a password manager and unique passwords (yes, even for “vendor portals”)

Hetzner explicitly recommends using a separate strong password for each service and using a password manager to generate and store them. Hetzner phishing guidance.

In practice, this also neutralizes a lot of credential stuffing. If your password leaks somewhere else, it shouldn’t unlock your hosting provider too.

4) Use safer browsing protections and report phishing pages

Browser and platform defenses are underrated because they’re invisible when they work. Google Safe Browsing is designed to warn users about dangerous sites and is used across products; Google states it helps protect billions of devices daily. Google Safe Browsing.

If you encounter a phishing page, Google provides a reporting flow for phishing URLs. Google: Report phishing. Reporting helps speed takedowns and warnings across the ecosystem.

Why cloud-provider phishing is a growing problem

Phishing has always targeted banks and email accounts. But attackers increasingly go after:

• Cloud consoles (compute, storage, IAM)
• Hosting/provider portals (VPS, dedicated servers, DNS, billing)
• Developer tooling (Git hosting, CI/CD, package registries)

The reason is painfully rational: compromising a cloud account can provide both infrastructure and identity. Attackers can spin up resources, host malware, send spam, and masquerade as legitimate operations—while the victim gets the bill and the incident response migraine.

Meanwhile, law enforcement and industry have been highlighting that much of today’s cybercrime is enabled by scalable infrastructure—cheap hosting, disposable virtual machines, and phishing-as-a-service. For example, Microsoft and partners have described takedowns of infrastructure supporting phishing and business email compromise operations, including platforms that make it easier to run large-scale phishing campaigns. TechRadar on RedVDS takedown. Even if the details differ from the Hetzner-specific campaign, the takeaway is the same: the industrialization of phishing makes vendor impersonation campaigns cheap to run and easy to repeat.

A realistic internal playbook for teams using Hetzner

If you run Hetzner in production—whether it’s dedicated servers, colo, or cloud—you’ll want more than “be careful.” Here’s a practical checklist you can implement without needing a committee, a Gantt chart, or a sticker wall.

Establish a “never click vendor login links” culture

One of the strongest anti-phishing rules is also the simplest:

• Never log in via an emailed link.
• Always type the URL (or use a bookmark you created yourself).

This single habit breaks a huge percentage of credential phishing attempts because the attacker’s page isn’t reached.

Define your official domains and sender addresses

In Hetzner’s warning, the company emphasizes that legitimate email addresses end with @hetzner.com. Hetzner incident notice. Your internal guidance should also list official domains you expect for:

• Account portal
• Documentation
• Support contact addresses

And then: teach people to actually check. Not just “be aware.”

Centralize reporting and response

When someone gets a suspicious vendor email, make it easy to do the right thing:

• A single internal mailbox or ticket type (e.g., security+phish@)
• A standard “phish triage” Slack/Teams channel
• A runbook: what to do if clicked, what to do if credentials entered, what to do if card info entered

Hetzner specifically asks customers not to call telephone support for phishing issues, and instead to write to their support email. Hetzner incident notice. The operational lesson: use the communication channel the provider can handle at scale.

Apply least privilege and reduce who can pay for things

Phishing works best when the phished identity has broad permissions. A mature setup includes:

• Separate admin accounts (no shared logins)
• Limit who can change billing or payment methods
• Limit who can provision new resources
• Use separate emails for billing vs technical admin, if feasible

This won’t stop phishing emails from arriving, but it can stop one compromised mailbox from turning into a full-scale incident.

Common misconceptions (and the uncomfortable truths)

“The padlock means the site is safe”

Nope. HTTPS means the connection is encrypted. Attackers use TLS too. The padlock is not a trust badge; it’s a privacy feature.

“Our people are smart; they won’t fall for this”

Security programs built on this assumption tend to produce two outcomes: (1) someone falls for it anyway, and (2) they hide it. Better to assume clicks happen and build defenses that contain damage.

“2FA fixes everything”

2FA is a major improvement, and Hetzner strongly recommends enabling it. Hetzner 2FA guide. But sophisticated phishing kits can attempt to capture session tokens or trick users into approving authentication prompts. Your goal is layered defense: 2FA, strong passwords, monitoring, and good habits around URLs.

Looking ahead: what we should expect next

Hetzner’s incident started on July 5, 2024 (UTC) and remains listed as identified on their status page. Hetzner incident notice. That time range matters: phishing campaigns can run for months, mutate into new templates, and reappear whenever a domain takedown happens.

In 2026, the “future” of phishing isn’t holograms or brain interfaces—it’s simply better operational discipline by criminals:

• More convincing copy (sometimes AI-assisted, sometimes just competent humans)
• More targeted campaigns (billing staff, admins, on-call engineers)
• More bypass techniques (bot filtering, conditional redirects)
• More rapid domain churn

Which means defenders should also focus on operational discipline: make the secure choice the easy choice.

Bottom line: treat vendor logins like production systems

Hetzner’s warning is a useful reminder that cloud accounts are high-value targets and that phishing is still the most efficient door into a system—because it’s a door into a human.

If you take only three actions this week:

• Enable 2FA on your Hetzner account. Hetzner 2FA documentation
• Stop logging in via emailed links (type or bookmark the real URL).
• Share Hetzner’s phishing signs with your team. Hetzner phishing email collection

Everything else—filters, browser warnings, takedowns, training—helps. But these are the moves that reliably change outcomes.

Sources

• Hetzner Online Status: “Phishing emails stealing logins and credit card data”
• Hetzner Docs: Phishing email collection
• Hetzner Docs: Two-factor authentication
• Hetzner Docs: Login-OTP
• Axios: FBI internet crime losses record high (2024 report summary)
• HIPAA Journal: Summary of FBI IC3 2024 Internet Crime Complaint Report
• Google Safe Browsing overview
• Google Search Central: Report phishing
• TechRadar: Microsoft takedown of phishing infrastructure (RedVDS)

Bas Dorland, Technology Journalist & Founder of dorland.org