Hostinger Account Suspension and Data Loss Cost Us $200k
We want to warn everyone about our horrible experience with Hostinger, a so-called "managed hosting" service that completely failed to protect our server, falsely accused us of phishing, suspended our account without proof, and refused to provide any data backup, leading to a massive financial loss of over $200,000.
Here’s What Happened: We were using Hostinger under the assumption that, as a managed hosting provider, they were responsible for securing the server and ensuring its integrity. However, without any prior warning or investigation, our account was abruptly suspended for alleged phishing activity.
We had no idea about any phishing attack. We never engaged in such activities, and if our server was compromised, it was their responsibility to prevent it.
Instead of helping us secure the server, they accused us and immediately took down everything.
They refused to provide proof of the alleged phishing attack, despite multiple requests.
They denied us access to our own data, even for non-suspended domains, which is completely unacceptable.
This sudden suspension caused irreversible damage to our business, resulting in financial losses exceeding $200,000.
Why This is a Serious Issue: Managed hosting means the provider is responsible for security – If a phishing attack happened, it should have been detected and mitigated by them, not used as an excuse to take down an entire account.
No proof was provided – We repeatedly asked them to show us evidence that we were responsible for phishing, but they ignored our requests.
Data loss is catastrophic – Losing all our data without warning, with no access to backups, has crippled our operations. A responsible hosting provider would at least allow users to retrieve their own data.
This could happen to anyone – If they can do this to us, they can do it to any customer, shutting down accounts arbitrarily and refusing to return essential data.
Final Warning to Other Businesses: If you are using Hostinger or considering them, BEWARE. This company will suspend your account without proof, block your access to critical business data, and refuse to provide backups, leading to devastating losses. DO NOT TRUST THEM WITH YOUR BUSINESS.
We are taking legal action against them for this negligence and urge others who have faced similar issues to speak up. If you’re running a serious business, choose a reliable hosting provider that actually protects your data instead of destroying it.
Has anyone else faced something similar? Let’s expose these irresponsible practices before more businesses suffer.
Ticket ID: #225645
Damn, sorry OP. I think it's terrible that they won't tell you why they suspect you of phishing and won't let you access the backups. I hope your legal action succeeds and you get your backups back.
That said, I think it should also be mentioned that "managed hosting" doesn't mean you don't have to worry about anything. On the backup side it's always a good idea to have one or two offsite backups not at your primary host, if only for disaster recovery.
And on the security side, it's usually a shared responsibility where they might manage some of the network layers and help prevent and mitigate DDOS and such, but there's no managed hosting company that can fully secure your application stack for you. They'd have to audit every line of code in every dependency for every customer, which is impossible. That's usually your own team's responsibility.
Still, that's not to say what they did was right, and they should be working with you to identify and fix the issues instead acting like you are the enemy :( Thank you for the warning. What a terrible experience!
"How do I recover if I need to rebuild my entire system from scratch?" is a basic business continuity exercise.
I know that most startups don't bother with it, but stories like this are exactly why it matters. You need to plan ahead, have backups of your data under your own control, with documentation of a DR plan to completely rebuild and recover should you, for any reason, lose every single vendor you work with today.
If you don't have that, then you are not truly a stable company. And while you might have delegated responsibility of server security to a vendor, that does not absolve you of overall accountability for what happens to your business.
This can happen on any cloud. See it on Azure. Keep backups on another cloud and have a DR plan even if it very manual. S3 glacier is very cheap long term for example.
Keep DNS in another account too.
Managed hosting will secure the server, but you are still responsible for securing anything public-facing that you put on that server.
If your application stack is compromised, and used to host phishing sites, the hosting provider should send you related abuse complaints and work with you to secure it.
Now, this is just a theory on my part, based only on what you've said, but is there any chance that your (probably hacked) server was used to spear-phish the hosting company itself? If so, it could explain their reaction.
> We had no idea about any phishing attack. We never engaged in such activities, and if our server was compromised, it was their responsibility to prevent it.
It's also your server it also had your responsibility to ensure that it was protected. Likely it was hacked
Our server was on managed hosting, meaning security was their responsibility. If it was hacked, that’s a failure on their part, not ours.
Instead of investigating or helping us secure it, they suspended our account without proof and refused to provide backups.
A responsible provider would have detected and mitigated threats proactively—not punished their customers with data loss and financial ruin. This isn’t just negligence, it’s outright reckless.
I think you're shirking responsibility quite a bit. Managed hosting means its your responsibility since you can run applications on there.
If you used a SaaS then its a bit different since you could only use an authorised plugin and wouldnt be able to run arbitrary code.
Phishing is social not technical. If someone persuades me to give overmy password, I can't blame the email provider I never setup 2FA with forletting them log in.
You have my sympathies - No doubt you're feeling the worst especially when present reality has collided significantly with expectation of the service you thought you had.
Their TOS [1] was probably something that needed to heavily considered. As for lost data -- #5.7
If your site was exploited in some manner, as a company their IT will just assume the most likely, and blame whatever was installed (I assume a VPS was what was being hosted for your company) was the weak link and subject to being able to be hacked easily.
[1] https://www.hostinger.com/legal/universal-terms-of-service-a...
Regardless of the small print attempting to absolve the provider of any responsibility for anything (as such companies like to do) it does still sound like they have behaved unreasonably and made a bad situation worse by not being more collaborative with the customer.
Having seen unnecessarily unhelpful behaviour like this before, it is infuriating and deserves to be called out.
I will say that the OP seems to have a possibly unrealistic expectation on who is responsible for security. It is very rarely quite as binary as it seems to be being described. I could be wrong, not knowing all the details…
Regardless, it still sounds like Hostinger have done very little to help.
Well we could all wish that being or aiming to be helpful was a standard throughout the industry - sadly it in my experience, and even your notion of unhelpful is indicative of the behaviour that has become more the par present times in regard of services offered - especially by larger companies which have adapted to the cheapest means to deal with external complaints.
As you point out, we are in the dark as to just what the hosting services were, there's mention of a server but we can only speculate. However the company does point out in their TOS, the customer is responsible for backing up their own data - but saying that we (as non customers) also don't know just how easy they allow the customer to do that.
Getting to the nature of the complaint - Obviously any company such as Hostinger has to position to minimise legal threats as per what they ultimately are responsible for hosting, and would do so by setting up processes to monitor for threats, detection measures such as looking for file fingerprints, possibly by using A.I. in a clever means. They'd also have a process to handle external complaints from people or companies on the web.
I can sort of guess what might have started the ball rolling,[1] (complaints by various domain providers) but that in itself, is not a proof, just that someone did not address those whatever they were issues in a timely manner. The person within Hostinger tasked to deal with the external complaint, given an apparent non reversal a suspended domain with the customer apparently simply ignoring the fact they have a suspended domain; isn't probably going to go to great depths to call in the system admin to confirm. Now they might be wrong given the small number of edge cases where it's all just a mix up or some other honest problem ... how many domains and with how many different providers?
[1] >They denied us access to our own data, even for non-suspended domains
I was bored so decided to dig a little as it interested me. I found [1] to be helpful explanation of services Hostinger offers. I would gather from [2] OP's business ought to have had access to on demand back up -- as such I would have the expectation that a large streamlined hosting service, would be able to provide a given number of back ups exported to any practical external storage area via a variety of protocols -- however again, as a non customer I have no idea if what I would expect is the actual situation. However running 70 sites without any form of external just in case back up, or monitoring them daily / closely, was an accident waiting to happen -- accidents happen and the prominent OVHcloud incident in 21 should still linger in those tasked to secure their web based company's future. Other technical fubar accidents can also happen like ssd raid dying catastrophically. I myself was amused when my own data in server was updated and data migrated to a ssd raid 5 ... it failed weeks later - expectation was it would be at most a partial loss, however hard the system admin tried over a couple days, little could be recovered, just a couple of gigs of old images - thankfully all but the newest files were backed up so it was easiest to just let it go and start from scratch. Ssds are IMO very unforgiving but in time they will get better in regard to failure detection.
[1] https://themeisle.com/blog/hostinger-pricing/
[2] https://old.reddit.com/r/Hostinger/comments/1jlunm9/beware_o...
> We were hosting Cloud Enterprise top tire server on hostinger and about 70 sites where active on server. All gone including crucial data
Hello,
I work at Hostinger and I'm really sorry to hear about your experience. Please know that we take situations like this very seriously.
Our team has already contacted you directly to go through the details and help clarify everything. We want to make sure you feel heard and supported.
Thanks for your patience, we’ll do our best to help you.
Can you share any details with the rest of us, without any specifics, so we might be able to better understand your side of the story?
Your comment was marked dead, by the way. Your account might be flagged as spam because your most recent few submissions were also dead. Might wanna email HN about that if you want to post here more.
I'll share what's posted at reddit
Jellyfish8775 replied to the reddit thread "
Hey, we totally understand how stressful this must have been, and we're glad to see your hosting plan is back up and running. That said, we want to clear up a few things.
When phishing activity is detected, whether intentional or due to a security breach, we have to take action to protect other users. Suspensions aren’t random, we follow strict security protocols, and while we understand it’s frustrating, keeping the platform secure is a top priority.
Also, managed hosting doesn’t mean full security management, server security is a shared responsibility. If an account gets compromised (through weak credentials, outdated software, or vulnerabilities in third-party apps), action needs to be taken on both sides to prevent issues.
About data access, when phishing-related suspensions happen, we have to be extra cautious before restoring access. That said, we always work with our customers to resolve these cases properly, as happened in your situation.
Again, we’re glad this was sorted out, and if you ever need help tightening security on your server to avoid future issues, just reach out!"
I had been politely waiting for the OP to update rather than just repost the above response ... but I guess we could assume they are working hard to sort out their troubles with the 70 sites in regard to however many had been suspended. I dare say organising back up as well if that's also their role.
Thanks for sharing this!
I wonder what actually caused the temporary suspension. Was some protocol not followed? Was the OP not sharing all the details? Was it a case of bad bureaucracy who only responded because of the public backlash? There wasn't quite enough info to tell.
Not that we should speculate since it is the sort of thing where one's proverbial neck is on the chopping block with all access revoked ... 10 minutes or a couple hours could well feel like a lifetime. Resolving problems often take time, possibly only when whomever has been tasked with it begins their next work day.
As for accusing replies they received -- probably just the cookie cutter responses when their account went dead from the outwards facing staff at Hostinger. Reviews take time generally. Again this is just speculation on my part.
I have observed in the nature of the web, some people expected to be treated like royalty or better ... often way better and not accepting of this day or days but this second, now I demand it. It would not be the first time a; not at this minute, in time, under investigation, not until type response is construed to be hostile, unhelpful, being an utter bast@rd, or worse.
Given the reply by Jellyfish8785, their account was compromised. With about 70 sites, it would not be surprising if one or more had an older version of forum or blog software which would allow a scrip kiddie to gain access to one site and from there others.
As for suspended domains. In the absence of a reply from abuse or admin @somesite.foo the next usual step is for netizens who've spotted a big issue is to report the site to the domain host as it is (well has been) easy enough to find and file a report.