What occurred and what was affected?
On December 1, 2025, we recognized suspicious exercise on certainly one of our servers the place our purchasers’ web sites have been hosted. After investigation, we discovered that certainly one of our prospects, Notepad++, was particularly focused, and we have been working with them to safe their providers. Whereas there is no such thing as a proof that another Hostinger purchasers’ web sites or information have been affected, as a precaution, we notified prospects who had their information on the affected server and moved all web sites to a different server. To remain clear about this incident, we’re sharing what occurred, how we resolved it, and what steps we’re taking to make our methods stronger.
Incident timeline
- The shared internet hosting server in query was compromised till September 2, 2025. On this specific date, the server had scheduled upkeep the place the kernel and firmware have been up to date. After this date, we couldn’t establish any comparable patterns in logs, and this means that the dangerous actors had misplaced entry to the server. We additionally didn’t discover any proof of comparable patterns on another shared internet hosting servers. As a precaution, we instantly transferred purchasers to a safe setting on a distinct server and notified them.
- Regardless that the dangerous actors misplaced entry to the server on September 2, 2025, they retained credentials of one of many inside providers present on that server till December 2, which might have allowed the malicious actors to redirect among the site visitors going to https://notepad-plus-plus.org/getDownloadUrl.php to their very own servers and return a obtain URL containing compromised updates.
- Based mostly on our logs, we see no proof of different purchasers hosted on this specific server being focused. The dangerous actors particularly looked for the notepad-plus-plus.org area with the aim of intercepting the site visitors to the web site, as they may have recognized the then-existing Notepad++ vulnerabilities associated to inadequate replace verification controls.
Conclusion and subsequent steps
After concluding our analysis, the recognized safety findings have been now not noticed within the internet hosting methods from December 2, 2025, onward, as:
- We mounted vulnerabilities that might have been used to focus on Notepad++. Specifically, we do have logs indicating that the dangerous actor tried to re-exploit one of many mounted vulnerabilities; nonetheless, the try didn’t succeed after the repair was carried out.
- We rotated all of the credentials that dangerous actors might have obtained previous to September 2, 2025.
We checked the logs for comparable patterns throughout all internet hosting servers and didn’t discover any proof of methods being compromised, exploited in the same means, or information being breached. We proceed to work carefully with the affected consumer, their companions, and inside and exterior safety researchers to additional enhance our providers and guarantee they continue to be dependable and safe.
As VP of Product at Hostinger, Saulius oversees Internet Internet hosting Platform & Instruments, Managed WordPress, and WebPro Expertise. Saulius enjoys observing customers via their every day life actions, in search of issues to unravel, and constructing merchandise that make customers extra environment friendly on-line, assist them spend extra time on the issues they love, and depart all the remainder for expertise to unravel.
