Cyber Incident Victim: Hetzner Online GmbH
Date:
Oct 2018
Location:
South Africa
Summary
The South African branch of a web hosting provider experienced its second security breach in under a year, involving unauthorized access to customer invoicing data including names, contact details, identity numbers, and bank account information, though payment credentials and account passwords remained uncompromised. The company warned of potential phishing attempts leveraging the stolen data, mirroring concerns from an earlier incident where attackers exploited an SQL vulnerability to access similar details alongside FTP credentials, which were subsequently reset. Customers criticized the organization for perceived inadequacies in breach notifications and security improvements despite prior audits following the initial attack. The affected entity operates independently from its German namesake, which has also faced historical breaches.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On October 5, 2018, Hetzner South Africa’s technical team identified suspicious activity on its database, marking the company’s second security breach within twelve months. The web hosting provider notified affected customers via email, disclosing that an unauthorized party had accessed personal and financial information including names, email addresses, phone numbers, physical addresses, identity numbers, VAT numbers, and bank account details. The company clarified that the breach did not compromise payment card data, account passwords, or customer website and email content. Hetzner initiated a comprehensive audit involving its internal security team and external cybersecurity specialists to investigate the incident and reinforce system safeguards. While downplaying the exposure of highly sensitive data, the firm warned customers to remain vigilant against targeted phishing campaigns, anticipating attackers might leverage stolen details to craft deceptive requests for credentials or financial information. The notification’s subdued tone drew criticism from users, who accused Hetzner of minimizing the severity of the breach despite prior assurances about enhanced security measures following an earlier incident.
This breach followed a November 2017 attack where threat actors exploited an SQL injection vulnerability in Hetzner’s "konsoleH" Control Panel database, compromising similar customer invoicing data along with FTP passwords. The company responded to the first breach by resetting all affected FTP credentials and publicly documenting the incident on its blog, estimating 40,000 customers were impacted. Despite these measures, the 2018 recurrence exposed systemic vulnerabilities, as attackers again exfiltrated comparable datasets without accessing deeper system controls. Hetzner South Africa did not disclose the scope of the second breach or respond to media inquiries seeking clarification, fueling user frustration over transparency gaps. The company emphasized its operational independence from Hetzner Online in Germany, which experienced separate breaches in 2011 and 2013, though both entities shared familial and partnership ties. Customer backlash intensified over Hetzner South Africa’s failure to prevent a repeat breach after claiming to have implemented strengthened defenses and undergone security audits.