Hetzner Warns of Phishing Emails Stealing Logins and Credit Card Data: What Customers Should Do (and What Everyone Else Can Learn)

AI generated image for Hetzner Warns of Phishing Emails Stealing Logins and Credit Card Data: What Customers Should Do (and What Everyone Else Can Learn)

Hetzner has issued a public warning about phishing emails circulating in its name that attempt to steal customer login credentials and, in some cases, credit card data. The alert appears on Hetzner’s official status page as an ongoing incident titled “Phishing emails stealing logins and credit card data,” first posted with a start time of July 5, 2024. citeturn2search5

If you run workloads on Hetzner (or just pay them for anything at all), this is one of those moments where you should treat your inbox like a suspicious USB stick you found in a parking lot: assume it’s cursed until proven otherwise.

This article breaks down what Hetzner is warning about, how the scam typically works, what to do if you clicked (or worse, typed), and what this tells us about the broader state of phishing in 2026. It’s based on Hetzner’s incident notice (the RSS source you provided) and supporting security guidance and reporting.

What Hetzner reported (and what they didn’t)

On its status page, Hetzner states that phishing emails are currently circulating in the name of Hetzner. The company highlights three recurring characteristics: a manufactured sense of urgency, a fake sender identity (including addresses that don’t end in @hetzner.com), and links that look legitimate but lead to fake Hetzner login pages designed to harvest usernames/passwords and sometimes credit card details. citeturn2search5

Hetzner’s recommendation is blunt and correct: don’t open suspicious emails; if opened, don’t click links; delete them. If you entered credentials on a suspected fake site, change your password immediately via the official Hetzner Accounts site, and enable two-factor authentication (2FA). citeturn2search5turn1search2

Notably, this is not framed as “Hetzner got breached.” It’s framed as impersonation—criminals using Hetzner’s brand to trick customers. That’s a crucial distinction because it changes the immediate risk model:

  • If Hetzner were breached, you’d worry about leaked databases, stolen billing details, and widespread forced resets.
  • If Hetzner is being impersonated, the risk is concentrated in whoever interacts with the phish: click, login, pay, repeat.

Phishing is still extremely effective precisely because it doesn’t require exploiting a zero-day in a hypervisor. It requires exploiting the most legacy protocol in tech: human panic.

The original RSS source (and who “authored” it)

The foundation for this article is the official Hetzner status page incident entry: “Phishing emails stealing logins and credit card data”. citeturn2search5

Status page incidents like this are typically published by the provider’s operations/security communications team rather than an individual named author. In this case, the incident page itself does not publicly list a human author—so the most accurate attribution is Hetzner Online via its official status communications.

Also worth noting: Hetzner’s status site is built on Atlassian’s Statuspage platform, which is designed for incident communication and subscriber notifications. citeturn2search1

How these Hetzner-themed phishing campaigns usually work

Hetzner’s notice calls out the classics, which tells you the attackers are playing a numbers game. They don’t need sophistication; they need volume and timing.

1) The “urgent account action” hook

The email claims you must urgently accept updated policies, renew a domain, update billing, or prevent account termination. Hetzner explicitly points to subject lines such as “Last reminder: accept the new data protection policies,” “Urgent: renew your domain…,” or “Your contract will end soon.” citeturn2search5

In other words, the phisher is trying to make you feel like you’re about to lose something valuable: a domain, a server, a contract, your dignity in front of your team, etc. Loss aversion does the rest.

2) Fake senders and “close enough” domains

Hetzner warns about fake sender names like “HETZNER,” “HetznerSupportTeam,” or “Hetzner Online GmbH,” and says the sender is also fake if the email address doesn’t end in @hetzner.com. citeturn2search5

But here’s the uncomfortable part: even if the domain does end in @hetzner.com, you can still be fooled if your mail server or your client is configured in ways that make spoofing easier (or if you’re reading on mobile where headers are hidden). The sender address is a clue, not a guarantee.

Government guidance also emphasizes the same pattern: urgent language, requests for personal/financial info, shortened URLs, and slightly incorrect addresses or look-alike links. And it explicitly notes that AI can make grammar perfect, so spelling errors are no longer a reliable tell. citeturn1search6

3) Links that look real but lead to fake login pages

This is the core: the link text looks like “hetzner.com” but the destination domain is not Hetzner. Hetzner says these fake pages will prompt for Hetzner credentials and sometimes credit card details. citeturn2search5

Technically, this is usually implemented with one of these patterns:

  • Look-alike domains (typosquatting): hetzner-support[dot]com, hetzner-billing[dot]net, hëtzner[dot]com with Unicode tricks, etc.
  • Subdomain tricks: hetzner.com.account-update[dot]example[dot]tld (the real domain is the last part).
  • URL shorteners to hide the destination.
  • Compromised legitimate sites hosting a phishing kit in a random folder.

Once your credentials are captured, attackers often immediately try them against the real Hetzner login portal, then:

  • create new API tokens/keys (if possible),
  • spin up infrastructure for abuse (spam, botnets, credential stuffing),
  • change billing details or add payment methods,
  • attempt lateral movement into connected systems (e.g., if you reused passwords).

And yes: if you’re thinking “but we have SSO,” remember that many people still keep a direct provider login around “just in case.” Attackers love “just in case.”

Why cloud and hosting customers are prime targets

Phishing a cloud customer is not like phishing someone for a social media password. It’s potentially a direct route to:

  • Compute resources (to run malicious campaigns on someone else’s bill)
  • Data (backups, object storage, snapshots, customer databases)
  • Network footholds (to stage attacks, scan, or proxy traffic)
  • Billing instruments (cards, invoices, wire transfers)

Also, hosting invoices and “your service will be suspended” messages are inherently believable. Providers really do suspend accounts for non-payment. Domains really do expire. Even well-run organizations occasionally miss an invoice because someone’s card expired, an email alias changed, or a finance workflow broke. Attackers are exploiting reality, not inventing fiction.

Phishing is getting worse, not better (and the numbers support it)

Phishing persists because it works at scale. In the U.S., the FBI’s Internet Crime Complaint Center (IC3) has repeatedly reported phishing/spoofing as the most common type of complaint. Reports on the FBI’s 2024 Internet Crime figures indicate losses in the tens of billions of dollars and highlight phishing as a top complaint category. citeturn1news13turn1search7

Even if your organization isn’t U.S.-based, the lesson is universal: phishing is the “default attack.” It’s cheap, fast, and—thanks to better templates and AI-assisted writing—often convincing enough to beat tired humans at 08:13 on a Monday.

What to do if you received one of these emails

Hetzner’s advice maps well to standard incident response playbooks. Here’s a practical version you can hand to a colleague without needing a 40-slide deck.

Step 1: Do not click. Verify via a clean path.

If an email claims your Hetzner account requires action, do not use the email’s link. Instead:

  • Open a new browser window.
  • Type the official address yourself (or use a known bookmark).
  • Log in and check notifications/invoices inside the portal.

This aligns with the “resist and delete” guidance promoted by U.S. government cybersecurity advice. citeturn1search6

Step 2: Check the sender domain and the link destination

Hetzner specifically says the sender is fake if the email doesn’t end in @hetzner.com. citeturn2search5

Also hover over links (desktop) to inspect the destination without clicking. Hetzner repeats this “hover to check” guidance in its phishing email collection documentation. citeturn1search0

Step 3: Report it through the right channel

For phishing that impersonates Hetzner, Hetzner’s incident notice asks customers not to call phone support and instead email support@hetzner.com. citeturn2search5

If you’re reporting abuse hosted on Hetzner infrastructure (phishing sites, malware hosting, etc.), Hetzner also maintains an abuse reporting process and form documented in its official docs, and its legal terms reference reporting suspected abuse to abuse@hetzner.com and the abuse portal. citeturn2search4turn2search6

What to do if you clicked a link (triage mode)

Clicking a link is not automatically catastrophic, but treat it as an exposure event. Your response depends on what happened next.

If you only opened the page

  • Close the tab.
  • Clear browser data (optional but reasonable).
  • Run endpoint protection / malware scan.
  • Check for suspicious browser extensions.

The key question is whether anything executed (drive-by downloads are less common now but still possible) or whether you entered any information.

If you entered your Hetzner username/password

Hetzner says to immediately change your Hetzner password via the official accounts portal. citeturn2search5

Then:

  • Enable 2FA immediately (preferably with a hardware key or a strong authenticator method). Hetzner provides step-by-step instructions for enabling 2FA in its Accounts panel. citeturn1search2
  • Review account security settings for unexpected changes (email address, API tokens, SSH keys, teams/users).
  • Check billing settings for new payment methods or invoices you didn’t create.
  • If you reused the password elsewhere, change it there too (yes, all of them; no, you won’t enjoy it).

If you entered credit card data

Assume the card details are compromised:

  • Call the card issuer and freeze/cancel the card.
  • Review recent transactions and set alerts.
  • Consider placing a fraud alert (jurisdiction dependent).

Phishing for card data is particularly nasty because it can be monetized immediately, and because victims often don’t notice until a charge shows up.

Why Hetzner emphasizes 2FA (and why you should listen)

2FA doesn’t stop phishing outright, but it changes the economics:

  • It can prevent attackers from logging in with only a stolen password.
  • It can force them into more complex real-time “adversary in the middle” attacks, which are harder to run at scale.

Hetzner’s 2FA documentation shows how to enable it and discusses recovery keys and recovery processes. In particular, Hetzner warns that if you lose your recovery key you may need a more manual process (including postal mail in some cases) to regain access—so store recovery info securely. citeturn1search2

My mildly funny but sincere journalist advice: treat recovery keys like production database credentials. Because they are.

The phishing email collection: why it exists and how to use it

Hetzner maintains a “phishing email collection” in its docs, created in 2025 and updated as new samples are identified. It’s intended to help customers recognize patterns and assess suspicious content. citeturn1search0

This is useful in two ways:

  • Security awareness training: real examples beat abstract advice.
  • Mail filtering: your security team can use indicators (subject lines, sender domains, lure text) to tune detections.

However, treat any collection like an “antivirus signatures” problem: it’s always incomplete. Use it to learn patterns, not to build a brittle “if it’s not in the list, it’s safe” mindset.

Industry context: why “invoice” phishing is evergreen

Invoice and billing phishing thrives because it blends into normal business operations. One case reported in the public sector shows how a small domain alteration can trick staff into sending money to the wrong party—an example of the broader category of business email compromise and invoice fraud. citeturn1news12

For cloud providers, the attack surface is bigger because the invoice is connected to an account that can launch infrastructure. So the phish can be used for both direct theft (card details) and indirect theft (abusing compute resources).

What organizations using Hetzner should do next (beyond “be careful”)

“Be careful” is not a control. Here are concrete steps organizations can take, whether you’re a startup with three servers or a mid-size shop that’s accidentally become a cloud provider to your own departments.

1) Lock down account access

  • Enable 2FA for all Hetzner Accounts. citeturn1search2
  • Use unique passwords (a password manager makes this survivable). citeturn1search0
  • Reduce the number of admins; use least privilege where possible.

2) Add billing and security monitoring

  • Set up alerts for new invoices, payment method changes, and account setting changes.
  • Monitor for unusual provisioning: sudden spikes in new servers, outbound email activity, or unexpected geographies.

3) Harden email handling across the org

  • Train staff on verifying URLs and not acting on urgency cues. citeturn1search6
  • Ensure your email gateway enforces authentication checks (SPF/DKIM/DMARC) and flags look-alike domains.
  • Consider disabling link-clicking in high-risk roles via secure email gateways or rewriting/sandboxing solutions.

4) Establish an internal “known-good login path”

Write down the official URLs your team should use (accounts portal, console, docs). Put them in your internal wiki and security training. People under stress don’t improvise well.

So… is this “incident” still ongoing?

As of Hetzner’s status listing, the incident remains marked Identified and shows the start date of July 5, 2024, with updates having occurred in the past (the status page indicates it was last updated hundreds of days ago). In practice, phishing campaigns like this tend to be persistent and cyclical: one wave dies, another wave starts with slightly different templates. citeturn2search2turn2search5

In other words: don’t wait for a “Resolved” badge to start taking phishing seriously. Criminals do not attend your change management meetings.

Frequently asked questions (the ones people ask right after clicking)

“I got an email from Hetzner but I’m not a customer. What now?”

It might just be mass spam. Delete it. If you manage a mail environment, consider reporting it and blocking the sender domain and IPs if appropriate. Do not click anything.

“If the sender ends with @hetzner.com, is it safe?”

Not automatically. It’s a good sign, but not proof. Verify by logging in through a known-good path rather than using email links.

“I enabled 2FA. Am I fully safe?”

Safer, not invincible. Some phishing kits attempt real-time interception of one-time codes. But 2FA still blocks a large class of account takeover attempts and is strongly recommended by Hetzner. citeturn1search2turn2search5

Bottom line

Hetzner’s warning is straightforward: attackers are impersonating the company via email, pushing urgency-based lures, and redirecting victims to fake login pages to steal credentials and payment details. citeturn2search5

The fix is equally straightforward, but only if you actually do it:

  • Stop using email links as an authentication mechanism.
  • Enable 2FA and store recovery keys properly. citeturn1search2
  • Use unique passwords and train your team on modern phishing cues (which now include perfect grammar). citeturn1search0turn1search6
  • Report phishing through the channels Hetzner requests. citeturn2search5turn2search6

If you do nothing else today: open a fresh tab, go to your Hetzner account the normal way, and turn on 2FA. Consider it the cheapest “cloud security service” you’ll ever deploy.

Sources

Bas Dorland, Technology Journalist & Founder of dorland.org